Control index access using Splunk Web

1. Navigate to Settings > Roles.

2. Click the role that the User has been assigned to.

3. Click on "3. Indexes".

4. Control the indexes that particular role has access to, as well as the default search indexes.

Syntax

You can specify different indexes to search in the same way that you specify field names and values. In this case, the field name is index and the field value is the name of a particular index:

index=<indexname>

Specify groups of indexes using wildcards

You can use a wildcard ( * ) to specify groups of indexes. For example, if you want to search both "mail" and "main" indexes, search for:

index=mai*

To match internal indexes using a wildcard, use _* in your search, like this:

index=_*

You can use a wildcard to to match all of the non-internal indexes or all of the internal indexes. But, you can't use a wildcard to match both types of indexes at the same time.

Partition different searches using parentheses

You can also use parentheses to partition different searches to certain indexes. See Example 3 for details.

Note: When you type "index=" into the search bar, typeahead indicates all the indexes that you can search, based on your roles and permissions settings.

Examples

Example 1: Search across all public indexes.

index=*

Example 2: Search across all indexes, public and internal.

index=* OR index=_*

Example 3: Partition different searches to different indexes; in this example, you're searching three different indexes: main, _internal, and mail. You want to see events that match "error" in all three indexes; but also, errors that match "warn" in main or "failed" in mail.

(index=main (error OR warn)) OR (index=_internal error) OR (index=mail (error OR failed))

Example 4: Search across multiple indexes on different distributed Splunk servers.

(splunk_server=local index=main 404 ip=10.0.0.0/16) OR (splunk_server=remote index=mail user=admin)