As the answer provided by kml_uvce is the best solution in terms of security, I'm thinking in an alternative solution. It's considerably less secure and I wouldn't recommend it, I'm just trying to give you more choices.
If you don't want to force the user to logout and login again in order to change the app, you can mask the real index name with an automatic lookup as explained in http://answers.splunk.com/answers/42071/any-way-to-create-an-alternate-name-or-alias-for-an-index.html. As lookups can be isolated to an app, if the user doesn't know the real index name will not be able to search in it out of the app where the lookup is applied. You should also keep the indexes out of "indexes searched by default" in the rol/user config to avoid them appearing in the search statistics.
... View more