We want to restrict certain usergroups possibility to search in Splunk based on a dynamic parameter
For instance
Merchant group A should have this search restriction: index=business-events merchantid=1
Merchant group B should have this search restriction: index=business-events merchantid=2
Could this be done using this search restriction: index=business-events merchantid={currentuser.merchantid}
Could this be done through a database lookup?
If you map these groups to Splunk Roles, then yes.
For the index part of the restriction, I would look on the roles page under "Indexes searched by default" and "Indexes" (the difference is subtle but very important). Choose which of the two you'd like to use. Possibly the answer is both. And set for both Role A and B, that they are one way or another restricted to index=business-events.
Then, for the merchantid search restriction, you can just use the "Restrict search terms" field in the role page.
eg for role A, you can set merchantid=1 under "Restrict search terms", and for role B set merchantid=2
http://docs.splunk.com/Documentation/Splunk/5.0.3/Security/Addandeditroles
At this time I'm fairly certain you can't do it this way. However, you ought to submit a feature request for this.
You can mention this on Manager » Access controls » Roles » RoleName. Assign the roles to relevant user groups and specify the index. Thanks
I highly doubt that... as a different thought, move the index restriction to the visible indexes part of the role, much better that way.