product
- Why choose Splunk
- Installation record
- price
- Splunk Enterprise Security
- Splunk Phantom (SOAR)
- Splunk ITSI (Next Generation IT Operations)
- Splunk Observability Cloud
- Splunk UBA
- Macnica CSIRT App Basic
- App for Splunk for Financial Institutions
- Splunk Analytics for Hadoop
- About Apps
- Splunk Edge Hub
- What is Splunk
service
- Dashboard/SPL Creation Pack [Implementation/Building Support]
- Version upgrade service [implementation and construction support]
- Smart Security Monitoring App [Original App/Service]
- Splunk × LANSCOPE Original App [Original App/Service]
- Security Monitoring App for Box [Original App/Service]
- Cloud Security Monitoring App [Original App/Service]
Specifications/Technical Information
Application for evaluation machine
- FAQ
How to restrict searchable data on a per-user basis
- release date
- 2015-05-07
- last updated
- 2024-03-04
- version
- Splunk Enterprise 9.0.3
- Overview
- How to restrict searchable data on a per-user basis
- Reference information
- content
-
How to restrict searchable data on a per-user basis
If you want to control which data each user can search, you can achieve this by using the role function.
By specifying a string in the role settings, users belonging to that role can always include the specified string in their search query.
For example, if you want to access only web access data, you can specify `sourcetype=webaccess`, and the search will always search only web access data.
[Procedure for setting search restrictions per role]
- In Splunk Web, select "Settings" > "Roles".
- Click "New Role".
- Enter the role name.
- In the "4. Restrictions" tab, enter the string you want to apply to searches in the "Search Filter" field.
For example, if you specify "GET", only events that contain the string "GET" will be displayed as search results.
Additionally, if you do not want to display events that match a specific string, you can write it as follows:
NOT (clientip=233.77.49.50 OR clientip=192.1.2.35) - Select the permissions you want to grant to the role you are creating from either "1. Inheritance" or "2. Permissions".
*Unless there is a specific reason otherwise, we recommend selecting "user" in "1. Inheritance". - Press "Save".
- Select "Settings" > "Users".
- Click "New User".
- Enter your username.
- Specify the role you created in step 6 in the "Selected Items" section of the role assignment.
- Set a password and save it.
Users created with the above settings will only see events that contain the string specified in the "Search Filter" when performing a search.
*If NOT is specified, only that string will not be displayed.
that's all
In charge of Macnica Splunk Co., Ltd.
- TEL:045-476-2010
- E-mail:splunk-sales@macnica.co.jp
Weekdays: 9:00-17:00
