Using Splunk's Role Based Access controls, you can limit a user to only a few indexes that contain the data they contain. That is considered the best approach for separating data.
https://docs.splunk.com/Documentation/Splunk/7.2.4/Security/Addandeditroles#Add_or_edit_a_role
In this way, you would have a separate role for each tenant, and each tenant's data would go into a separate index.
If the data is all in a single index, you may be able to use search time filters, but this is less preferred.
https://docs.splunk.com/Documentation/Splunk/7.2.4/Security/Addandeditroles#Search_filter_format
... View more