Solved: Restricting access to an index

rmorlen · ‎06-10-2014

I am trying to restrict access for a specific access. (Splunk 5.05) In the case below I don't want the power users to have access to indexes security1 or security2. This doesn't seem to work.
Any suggestions?

In Authorize.conf:

[role_power]

list_httpauths = enabled

rtsearch = enabled

rtSrchJobsQuota = 5

schedule_search = enabled

srchDiskQuota = 3000

srchIndexesAllowed = *;_*

srchIndexesDefault = *

srchFilter = index!=security1;security2

srchJobsQuota = 30

rmorlen · ‎06-12-2014

This worked:

srchFilter = index!=security1 index!=security2

View solution in original post

rmorlen · ‎06-12-2014

This worked:

srchFilter = index!=security1 index!=security2

Ayn · ‎06-10-2014

"srchFilter" is a semi-colon delimited list of search filters for a role. In your case you have two search filters: "index!=security" and "security2". These are search terms that will be added to all searches for this role automatically. I suspect you don't want "security2" as a search filter. Perhaps you're looking for something like this?

srchFilter = index!=security1;index!=security2

rmorlen · ‎06-11-2014

Sorry. It didn't work. Users received the message:
"Error in 'search' command: Unable to parse the search: Comparator '!=' has an invalid term on the left hand side."

rmorlen · ‎06-10-2014

Thanks. I will give this a try.

Restricting access to an index

Index This | Forward, I’m heavy; backward, I’m not. What am I?

A Guide To Cloud Migration Success

Join Us for Splunk University and Get Your Bootcamp Game On!