All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Guidance for using Splunk Apps while restricting access to data per department

cyndiback
Path Finder
‎10-30-2013 08:00 AM

Looking for best practices/guidance

Our organization has several departments. Each department maintains their own Windows/Unix servers. Forwarders (mixture of universal/heavy) are installed on each server. We have a single Splunk instance (indexer and search head to same machine). We have a requirement that each department should only see data generated by their equipment. We would like to use the Splunk Windows and Linux apps. We have been restricting access by index but these apps use index=os by default.

What is the best approach for deploying the apps while restricting access to the data per department?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gfuente
Motivator
‎10-30-2013 08:06 AM

Hello

You need to segregate the data by index. So you would need to modify all your inputs.conf to include a departament specific index, lets say: index= osdepartment1. But you could keep the sourcetypes

And then in the *nix app or window app, remove all index references from the search strings, so it will retrieve data from all indexes that contain the specified sourcetype.

Then, you only need to give access to users to their respective index, and they will only see the data from their department

Regards

View solution in original post

Reply
Solved! Jump to solution
Solution

gfuente
Motivator
‎10-30-2013 08:06 AM

Hello

You need to segregate the data by index. So you would need to modify all your inputs.conf to include a departament specific index, lets say: index= osdepartment1. But you could keep the sourcetypes

And then in the *nix app or window app, remove all index references from the search strings, so it will retrieve data from all indexes that contain the specified sourcetype.

Then, you only need to give access to users to their respective index, and they will only see the data from their department

Regards

Reply
Get Updates on the Splunk Community!

What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience

What’s New in Splunk Enterprise 9.4: Tools for Digital ResilienceTune in to What’s New in Splunk Enterprise ...

Get Schooled with Splunk Education: Explore Our Latest Courses

At Splunk Education, we’re dedicated to providing incredible learning experiences that cater to every skill ...

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...