I'm hoping to create apps for each of our departments that only allow them to search specific data from splunk. This Document covers how to limit users to a specific app or apps, however, in that app how do I limit what data they can search on. We dump all of our event log data to the same index, so in a perfect world, these would not be per-index limits, but rather masked search terms that prefix their searches.
In that case you'd probably want to create several roles for the various departments. When you create a role you can have search limitations prepended for that role. Look in Manager > Access Controls > Roles. You can then assign users to that role.
In that case you'd probably want to create several roles for the various departments. When you create a role you can have search limitations prepended for that role. Look in Manager > Access Controls > Roles. You can then assign users to that role.
Can you please tell me how to access the Manager > access controls > roles?
This is exactly what i was looking for. Thank you.