topic Re: Splunk Newbie in Getting Data In

Splunk Newbie

MichaelBernas — Wed, 10 Jul 2013 16:13:22 GMT

I am far from being an advanced user of splunk and as a result have a question that I would imagine would be quite simple. What we have used Splunk for up to now, is to dump some of our HP Blade components logs into a syslog server so that we can generate alerts if something happens.

Now, I have other logs that I would like to send into splunk, however I want to separate my HP component logs from these new logs. Is this possible?

I would also like to grant access to a specific group of users to see these new logs....but I don't want them to see anything else (The HP Blade logs).

Thanks!

Re: Splunk Newbie

Damien_Dallimor — Wed, 10 Jul 2013 16:27:20 GMT

Put the HP logs and the new logs in their own Splunk Indexes

Then use role based permissions to determine which roles have visibility of those indexes.

Then assign users to the appropriate role.

Re: Splunk Newbie

MichaelBernas — Wed, 10 Jul 2013 18:58:51 GMT

Thanks for the quick response!!

So I have all this now. For the role, I copied the basic user role, however gave it access to search the new index that I created.

Another dumb question...I just want to verify that I need to create a separate data input using a different port for these logs and make sure that it is set to the index that I created...is that correct?

Thanks!!

Re: Splunk Newbie

Damien_Dallimor — Wed, 10 Jul 2013 19:05:28 GMT

For a "newbie" it will be simplest to setup a seperate data input for each source.
However it is also possible to use the same data input and dynamically set the index based on the content or source, host etc... of the incoming data (using props.conf and transforms.conf)