Skip to main content

Splunk – 8.0 – Restrict SourceTypes for Roles

By October 22, 2019January 7th, 2023No Comments


One issue that gets thrown around alot, is being able to restrict users to specific sourcetypes, in certain indexes.

While- this feature was possible in earlier versions, it was very clumsy, and could be difficult to maintain… and had potential security concerns due to its implementation.

With the release of Splunk 8.0.0– It appears significant improvements have been made to this process, which would make it much more feasible in a production environment.

With a bit of research- the new controls appear to be more optimized, and easier to maintain.

Here is the documentation for the configuration of this new functionality.


  1. These restrictions do not apply to metrics data.
  2. This only applies to filtering by indexed fields


  1. This means you can filter a role to specific sourcetypes / sources within an index, securely.

Lets test!

For my test- I created user “testuser”, with role “user-testuser”

Test 1: Filter out a specific sourcetype for all users, but, allow test-user access

My first task, is to set a restriction on the user’s role to deny access to index=_internal, sourcetype=mongod

NOT (index::_internal AND sourcetype::mongod)

As expected, my test-user can no longer see the mongod sourcetype.

Here is the generated search, pulled from the searchlog

| tstats prestats=t local=f summariesonly=f allow_old_summaries=f chunk_size=10000000 count where ((index=* OR index=_*) (NOT sourcetype::mongod OR NOT index::_internal)) groupby index sourcetype

Something which confuses me about the generated search, is this line: (NOT sourcetype::mongod OR NOT index::_internal). However- it does work as we configured it… oddly.

But- the expanded filtering search looks as expected

( ( ( index=* OR index=_* ) ( NOT sourcetype::mongod OR NOT index::_internal ) ) ) ( ( NOT ( sourcetype::mongod AND index::_internal ) ) )

So- next, lets see if we can override this rule using inheritance. On a hunch- I decided to see how it would appear in a search.

It appears to just append the SPL filters for each role, starting with the highest role first. As a result, it does not look like you will be able to override the SPL filter based on inheritance.


With the new improvements, you can more easily filter out subsets of your data on fields such as source, sourcetype, or other indexed fields. This functionality did exist before, but, a well-crafted search could bypass the filter.

The additional UI features will make it easier to add additional rules to this new feature. While this is not a completely new feature, the subtle improvements are well welcomed.