This is our issue :
We have two different groups : Datacenter and Backbone and each have their own cisco devices and they are sending their syslog to splunk. We decided to differentiate the log like this : Datacenter sends the log to UDP 514 and Backbone sends it to UDP 515 and each group has their own index and the logs of these groups will reside in different indexes.
Now the problem is the Cisco App that I found in splunk base. This is a great app and we want to use this for these two groups and access them to monitor their devices without access to other group devices.
How can we do this (two different groups and two different indexes)?
try to map each source (source="udp:514" & source="udp:515") with different index and set the permissions to respective groups. Ensure to update the index field on all the dashboard/reports/alert etc.. on the app.
You can in fact do this with the app if you use the companion "multi tenancy" add-on. It comes with a charge. Let me know if you are interested. The add-on will let you define a set of indexes per Splunk role and change views depending on your permissions (honoring the indexes you are allowed to see)
You have to check it, the app seems not to use certain index names but only the sourcetypes cisco:ios and Cisco:SmartCallHome. So if you set the permissions so each group of users only sees 'their' index, it should work as you need it.