Splunk Search

How to restrict User access to search from dashboard?


I have a dashboard which uses internal index and I made it available for role "user". I couldn't get the dashboard running for the "user" role without providing access to that internal index. Hence I provided access to that internal index for the "user" role and dashboard is working fine now.

Now, I want to restrict user not to run search command for that internal index and I provided that index name in "Restrict search terms" field of that role, but still the "user" role can access that internal index via search. Is there any way, I can restrict user from searching that internal index, but want my dashboard to run for that user role?


0 Karma


If I understand your question correctly, you can do what you're looking for.

My assumption is you want to disable searching of _internal on the search page by users of a specific role, but you have a dashboard crafted (that searches _internal) that you would like the users in that same role to be able to view.

The solution to lies in the fact that you can configure a savedsearch to be run by the owner of the savedsearch, as opposed to the user running it. In savedsearches.conf:

dispatchAs = [user|owner]
* When the saved search is dispatched via the "saved/searches/{name}/dispatch"
  endpoint, this setting controls, what user that search is dispatched as.
* This setting is only meaningful for shared saved searches.
* When dispatched as user it will be executed as if the requesting user owned
  the search.
* When dispatched as owner it will be executed as if the owner of the search
  dispatched it no matter what user requested it.
* If the 'force_saved_search_dispatch_as_user' attribute, in the limits.conf
  file, is set to true then the dispatchAs attribute is reset to 'user' while
  the saved search is dispatching.
* Defaults to owner.

Then in your dashboard, you view the results of that savedsearch in the SimpleXML thusly:

<search ref="<savedsearch name"></search>

For additional reference, consult this previous answers post that discusses the difference between running a savedsearch as a search and running it with the ref method shown above.


Since you can add a search restriction on a role base (i don't use it) it is whiser to add for every needed department (or groups of departments) it's own index. You'll generate a few more indexes, but on the indexer it won't eat much power.

Since a summary index is like a normal index, but w/o an own secstofrozen value.
And it don't count to your license.

A tutorial is here:

But in short, you have a search which will select your needed data and will write it to a summary 😉
E.g. a collection of license data for longtime evaluation.

index=_internal source=*license* type="Usage"
| fields st, idx, h, b, i, _time
| bucket _time span=1m
| stats sum(b) as bytes by h st idx i _time

| lookup sysmgmt_hosts guid as i OUTPUT name as srv

| eval output=split(h,".")
| eval anz=mvcount(output)
| eval h=if(anz > 1,mvindex(output,0),h)
| eval output=split(srv,".")
| eval anz=mvcount(output)
| eval srv=if(anz > 1,mvindex(output,0),srv)

| eval indexer=if(isnull(srv),i,srv)
| eval type="license"

| fields - output, anz, srv, i
| collect index=sysmgmt_summary
0 Karma


Hi @adonio,

My query is i have got several departments data in a csv and i want to restrict data department wise using summary index. How do i do this. Can you please explain in details as am new to summary indexing.


0 Karma

Ultra Champion

short answer, no
data security in splunk is set by index access.
with that being said, there are some ways to go around it. for example, if you want the user to see the dashboard, i can only assume that dashboard has panels that has some sort of reports presented.
so, you can send results to a summary index and now allow the "user role" access to summary index.
have the dashboard present the data from the summary index
hope it helps

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...