Hi @Karthikeya , in Splunk, restrictions to access to data is managed at index level, not at app level, in other words, when you create a role, you should define the indexes that the role can acce...
See more...
Hi @Karthikeya , in Splunk, restrictions to access to data is managed at index level, not at app level, in other words, when you create a role, you should define the indexes that the role can access: e.g. role1 accesses only index1 and role2 only accesses index2, then you can assign a role or both of them to a user depending on your requirements. You can do this in [Settings > Roles > Indexes]. In addition, you can eventually add some restrictions on an index (e.g. on the wineventlog index, a role can access only events with a EventCode IN (4624,4625,4634) instead another role all the events in wineventlog index. You can do this in [Settings > Roles > Restrictions]. Ciao. Giuseppe