Using SPL2 for role-based access on indexed data

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

You are a Splunk platform admin in control of an index that contains information needed by different people across your organization. However, the index also contains personally identifiable information (PII) and company-sensitive information that isn't appropriate for all audiences. You have the following challenges:

Enforcing role-specific data access rules is difficult.
Double-indexing data to create indexes tailored for different departments and their data needs is problematic.
- It drastically increases data volume and related costs.
- It is not scalable if you need to manage hundreds of indexes.
Role-based field filtering doesn't always work when users have multiple roles.

You want to learn how using SPL2 can enable you to give the right data to the departments that need it, while reducing the risk of exposing sensitive information.

How to use Splunk software for this use case

SPL2 is an evolution of SPL, not a completely new search language. It is available in Splunk Cloud Platform 10.2.0.2511 and higher and Splunk Enterprise 10.2 or higher for *nix operating systems.

There are some versions of Linux that are not supported in version 10.2. See the SPL2 Known issues for a list of these versions.

Switching to SPL2 requires minimal or no rewriting of the SPL queries you have already created. It is as performant as SPL and uses minimal additional processing power. SPL2 has the following characteristics:

More expressive
Multi-modal (SPL and SQL-like syntax)
Standardized
Unified across all Splunk products

How can SPL2 help?

SPL2 views let you give other people or groups permission to see specific components of the data you can access in an index, without giving them access to the whole index. They work in the following ways:

Views use attributes that change the behavior of a module. For example, with @run_as_owner, you can allow a non-admin user to see the same view of the data that you have, rather than only seeing what their direct permissions allow.
Within a view, you can filter and mask certain fields in a data set, further limiting what the viewer can access.
Permissions on the module further ensure that viewers cannot change the information in your main index.
Viewers import the module and can then run searches on the data they have access to through the view.

Watch the following demo to see how SPL2 can improve role-based access to data through views and permissions.

Additional resources

Now that you have an introduction to some of the powerful features of SPL2, watch the full .Conf25 talk, A deep dive into SPL2: How does it actually compare to SPL?. In the talk, you'll learn about additional features and listen to questions and answers from the live audience.

Splunk Help: What is SPL2?
Splunk Help: SPL2 Search Reference Introduction
Splunk Help: SPL2 views
Splunk Help: Module permissions
Splunk OnDemand Services: Use these credit-based services for direct access to Splunk technical consultants with a variety of technical services from a pre-defined catalog. Most customers have OnDemand Services per their Success Plan. Engage the ODS team at ondemand@cisco.com if you would like assistance.