After going through this previously, I believe the comments by @adonio are valid here!

Because of the way Splunk is designed, at least as of version 7.1.x, the index access controls are per-role, there is no method to control access to part of an index or a particular sourcetype within an index.

The srchFilter option allows you to change a query in the search screen of the user, so for example if the search filter is:

index=X OR (index=Y sourcetype=Z)

Then if the user searches for anything that will be added to the search behind the scenes, there are a few issues with search filters in my opinion:

• In older versions of Splunk you could bypass a search filter by using particular types of knowledge objects, I have not tested in newer versions
• If the user is a member of a role with a search filter, then all roles the user is in must include the search filter (see below)
• They make the searches very ugly...ok this probably isn't a major issue but you might care about it if you use the job inspector

For those last two points refer to:
How users inherit search filter restrictions

How users inherit search filter restrictions

You can create roles that inherit the characteristics of other roles. Users assigned to multiple roles inherit properties from the assigned roles.

In the case of search filters, if a user is assigned to roles with different search filters, the filters are all combined and thus the restrictions of each role are applied.

For example, by default, the Power and User roles do not have search filters defined to restrict searches. If a user has a combination of these roles and another role with filters defined (for example, srchFilter=x), the user will inherit the restrictions of that role, despite the association with roles that have no filter. 

For example if I created a role A, and B, role A has access to index X and "srchFilter=index=x sourcetype=Z", role B has no search filter but has access to index Y, I provide a user roles A & B, I then run a search such as:

index=Y test 

This becomes:

litsearch (index=Y test index=X sourcetype=Z) 

Therefore the search will not return results!
To summarise if you use search filters, you will have to use them on every role a user might be added to, they can be bypassed (or at least they could in older versions of Splunk), and the configuration will quickly become ugly!

In terms of solutions I cannot offer any easy options here, as per the suggestions either re-thinking the index strategy, relaxing the access to data within the index, or summary indexes are all valid options...

Good luck, please accept the answer or up-vote if it helps as it does take a lot of effort to write posts like this!

hello there,

i think you are in the right direction using search filters
Role 4, index = 1 OR (index = 2 sourcetype = foo)
read here more:
http://docs.splunk.com/Documentation/Splunk/7.1.1/Security/Addandeditroles#Search_filter_format

hope it helps