I have a subset of users who should only be able to view data injected by themselves. To know the event in Splunk was injected by a particular user, we have a required data field called "user". There are too many users to create an index per user, so my initial thought was to create a Role and use the "Restrict Search Term" field to limit their visibility. I'm able to use the following REST call to determine the username of the current user: | rest /services/authentication/current-context | table username | rename username as user When adding this directly to a search query, the results are exactly as I'd expect. Only events with user = <my_username> are returned. Yet, when I add this to the Role's Restrict Search Term, no results are returned. Using the job inspector, I'm able to see a slightly different formatting of the search query, but I don't understand exactly what it means or how to modify it to get the expected results. Search Query (no Role): index="proj1" [ | rest /services/authentication/current-context | table username | rename username as user ] Normalized/Remote Search (search job properties): litsearch index="proj1" ( ( "user"="ddurio" ) ) | fields keepcolorder=t "*" "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server" Role Restrict Search Term: [| rest /services/authentication/current-context | table username | rename username as user] Search Query (with Role Restrict Search Term): index="proj1" Normalized/Remote Search: litsearch ( index="proj1" ) ( ( [ | rest /services/authentication/current-context | table username | rename username as user] ) ) | fields keepcolorder=t "*" "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server" I get no errors/warnings but I also get no results. Any suggestions on how to make this work? Thanks! ... View more