Our organization has several departments. Each department maintains their own Windows/Unix servers. Forwarders (mixture of universal/heavy) are installed on each server. We have a single Splunk instance (indexer and search head to same machine). We have a requirement that each department should only see data generated by their equipment. We would like to use the Splunk Windows and Linux apps. We have been restricting access by index but these apps use index=os by default.
What is the best approach for deploying the apps while restricting access to the data per department?