Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can _raw be hidden for specific user roles or an app?

sc0tt
Builder
‎06-09-2015 01:13 AM

I created a user role that restricts search capabilities to certain sources, but there are fields I would like to hide from the user and exclude the _raw data. Is there a way to do this?

Edit: I've expanded this question and I may have found a partial solution, but I'm unable to restrict a user from searching data that I don't want them to.

Example event:

source=my_source user_id=123456 user_secret=99999999 login_status=successful

I restricted the search terms of the user role to source="my_source" user_id=123*. In addition, I created calculated fields for user_secret and _raw and set the eval expression to null(). This restricts the user to see only events in my_source where the user_id starts with 123 and hides the fields user_secret and _raw, but it doesn't prevent the user from being able search data that they are not privy to.

For example, this search

source=my_source 99999999 | table user_id login_status user_secret _raw

will return

user_id    login_status    user_secret    _raw
123456     successful      (null)         (null)

Even though I've restricted the search and hide fields, a user would still be able to deduce that the secret for user 123456 is 99999999.

Am I missing something? Is there a way to limit which data/fields a user can search? Another possible solution is to create a separate index but that doesn't seem very efficient to me since data would be duplicated.

This is somewhat related to a separate question I asked Can users be restricted to only search data models?. I think this may be a viable solution as well.

0 Karma
Reply

MichaelPriest
Communicator
‎06-09-2015 02:15 AM

Have a look at this question:

http://answers.splunk.com/answers/10582/permissions-on-indexes-and-sourcetypes.html

0 Karma
Reply

sc0tt
Builder
‎06-09-2015 03:04 AM

Thanks. I've already restricted the search in the user roles. However, the user is still able to see the raw event data which includes data I do not want them to see. For example: the search restriction is: source="my_source" user_id=123*. This will only allow the user to search events in my_source where user_id starts with 123. However, there are additional fields in the event data such as user_secret which I don't want to be visible to the user.

0 Karma
Reply

MichaelPriest
Communicator
‎06-09-2015 03:13 AM

So you want to hide some fields which are within the _raw data?

0 Karma
Reply

sc0tt
Builder
‎06-09-2015 03:17 AM

Yes or hide the _raw data completely. Ideally, I only want a user to see data that I allow them to see.

0 Karma
Reply

aweitzman
Motivator
‎06-09-2015 09:17 AM

I don't think Splunk permissions can function at that level.

Your best solution here might be to take your "complete" input, parse it into only the allowed fields, and output that into a different index. Then you can restrict those users to that new index, and they won't be exposed to any data they shouldn't see.

0 Karma
Reply

sc0tt
Builder
‎06-10-2015 01:29 AM

I think you are right. Creating a separate index may be the only way to accomplish this.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...