Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Restricting Roles with Lookups and Limited Dashboards.

alexantao
Path Finder
‎10-04-2013 12:08 PM

Hi,
I have a proxy that serves to several clients. All logs goes to splunk and they are processed to a single index. Most of my clients has more than one IP range, so I cannot split the clients on separate indexes. I configured a Lookup to map those IPs range to the name of the client.

Now, I want to make a dashboard with several information to specific clients, so they will login into splunk and see those informations, but they cannot see other's client information nor make other searches.
I've been looking over for an answer and tried a lot of solutions, but nothing worked perfectly.

I've tried to use the Search Restrictions of the role, put client_name=CLIENT1, but I think it does not work when the client_name field is a lookup (automatic or not), because when I set that, log with that user and go to PIVOT, nothing matches with that user.

So, how can I limit any information of other clients to be searched, and how can I make a dashboard to be shown when that client logs in ?

My splunk version is 6.0.

Thanks for any help !

0 Karma
Reply

alexantao
Path Finder
‎10-09-2013 03:17 AM

Ok, I've done that ! Thanks !
Now, I have to decide whether to make an App to each client or several dashb. on on single App. To show a dash. directly to the user I'll have to make one App for each, unless there's a way to config a dynamic view.

But the principal problem here is that I've restricted the user, configured panels with some reports. Now I'm getting a "Warning: saved search not found: XXXXXXX" in the panel. With an admin user it does not happen.

I was getting also an error:
In handler 'savedsearch': Error in 'PivotProcessor': In handler 'xxxxx'

But it seems to be solved alone.

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎10-07-2013 04:54 AM

The dashboard can be as simple as creating an App, and denying the roles required to a single App. Once that is done, I'd create Dashboards under this "restricted app" that only each client can view based on role. This will effectively limit what data is being presented to each client. For example:

Client A has a restricted role "clienta_role" limiting search to "(index=myindex gravity=0.49)"
Allow "clienta_role" read access in the "Restricted App".
Allow "clienta_role" Read/write to "Client A Stats" Dashboard. No other roles except admin should be added to the role or dashboard.
Set the default App for Client A as "Restricted App".

Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎10-09-2013 04:22 AM

Make sure the permissions on your searches and reports match those of the Dashboard.

Reply

somesoni2
Revered Legend
‎10-06-2013 07:22 AM

Do you provide information to client using just the dashboards or do they have access to Splunk's default search app as well?

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...