Security and privileges in Splunk

Path Finder

I've a setup where,

  1. I've an index called "mobile" that stores mobile event data
  2. The index has feed from mobile events from various customers who use our mobile app
  3. The mobile events come with default attribute that help identify the client (e.g. an attribute called client_id - 1 for client A, 2 for client B etc)
  4. I've few dashboards (each with 5~6 panels presenting various charts and tables representing business data)

My need

  1. I want to expose Splunk environment to these clients
  2. However, I don't want client A's users to be able to search Client B's data upon logging
  3. Also, when users of client A login, the dashboards should present the data pertaining to client-A only (filtering Client B data out from reports)...THUS, I can reuse the dashboards and reports

Couple of options thought of,

  1. Have separate splunk installation/environment for each client such that the index name mobile (hence the associated dashboards , reports) can be reused...additional cost of hardware and copy (thus maintenance) of application code, but easiest option

    1. Have same environment, but create separate indexes for each client - mobile_client_A, mobile_client_B. This probably saves on hardware, but requires lot of work and maintenance on application code (dashboards and reports)...I also do NOT know if it is possible (and how) to tie users with index.

I need some pointers on above and also any other option that you can share.

Any pointers would be greatly appreciated.


Tags (2)
0 Karma


The best way would be to have separate indexes per client. Create a Splunk role for each client and set their index visibility accordingly, and make sure they don't inherit the "all non-internal indexes" from the default user role.

Have your dashboards load data for index=client_*. That way each user will load all the client indexes he can read, which is only the one you set in their role. No huge work on the dashboard/report code necessary.

Separate environments will work as well, but is a lot of effort if you don't need the additional hardware for indexing/search volume anyway.

Splunk Employee
Splunk Employee

One other way you can consider (but which is not completely secure -- a clever user with the right access could get around it) is to use the role filters. Set up roles for each client X, then set up roles with the filter client_id=X for each client.

Separate indexes will be more secure, but role filters will work similarly in most cases.

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!