All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to receive and mask data from multiple TA for UNIX app?

varad_joshi
Communicator
‎11-03-2016 11:36 PM

I would like to know the best practices to mask the data in a particular scenario.

I have 2 applications hosted on 2 different Linux servers which are sending logs to Splunk. Both the application owners also want to send their server related logs to Splunk so we decided to install TA for UNIX on the application servers.

Both the TA for UNIX are not sending information to Splunk and logs are being viewed in Splunk app for UNIX on SH.

Which are are best way to mask server1's information to be viewed by users of server2?

Usually we restrict users on app and index level, however its is just one app (Splunk app for UNIX) so I was wondering different ways to mask.

Tags (2)
0 Karma
Reply

teekayx
Path Finder
‎11-06-2016 12:44 PM

If you don't have the option to use a separate index for each of these servers, then you can

  • assign source/host/sourcetype values differently for each server data inputs
  • define 2 new user roles (preferably inheriting default user role) and use the 'Restrict search terms' option to limit the roles capability to search only the particular server's data for each roles respectively. Example: "host=server1"

Hope this helps.

0 Karma
Reply

aaraneta_splunk
Splunk Employee
Splunk Employee
‎11-04-2016 07:14 PM

@varad_joshi - Your reference to the add-on/apps is unclear. Can you please confirm which add-ons or apps are you referring to in Splunkbase?

Splunk App for Unix and Linux, Splunk Add-on for Unix and Linux, or both? I just want to be sure your post is tagged properly for greater visibility. Thank you.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...