I am using this search to find volume for systems reporting to one index
index="_internal" source="*metrics.log" per_index_thruput series="Customer_Index_group" | stats sum(kb) as kb_indexed | eval GB = round(kb_indexed/1024/1024,2) | gauge GB 0 7 14 21 28
I can then search the metrics logs reported from the systems like this
index="Customer_Index" source="*metrics.log" per_index_thruput series="Customer_Index_group" | stats sum(kb) as kb_indexed | eval GB = round(kb_indexed/1024/1024,2) | gauge GB 0 7 14 21 28
However these two numbers are very different.
Granted the search on the _internal index runes much faster, but my users do not have access to the _internal index and they would like to know who much data there index is using. I see a volume that is much larger on the search form index=_internal than they can see using index="Customer_Index".
Why would the _internal index show more than the info from the $splunk/etc/var/log/splunk/metrics.log?
You give their role access to _internal
and add this to their search restriction terms:
(index!=_internal OR (source=*metrics.log series="Customer_Index"))
In this fashion you could also give them access to their entire UF logs by adding their hosts (or a host tag) here.
http://docs.splunk.com/Documentation/Splunk/4.3.1/Admin/Addandeditroles#Search_filter_format
You give their role access to _internal
and add this to their search restriction terms:
(index!=_internal OR (source=*metrics.log series="Customer_Index"))
In this fashion you could also give them access to their entire UF logs by adding their hosts (or a host tag) here.
http://docs.splunk.com/Documentation/Splunk/4.3.1/Admin/Addandeditroles#Search_filter_format
I recommend keeping the restriction on the source
field in _internal
- else they'll be able to see random events that happen to contain series=customer_index
caught by default key-value extraction.
this is the final filer if anyone is interested. Thanks Martin for getting me there
index=customer_index OR (index=_internal AND series="customer_index")
I will try this out as soon as I can. Could you add this as your answer and if it works I can give you credit for the answer 🙂
Thanks for helping Martin, I really appreciate it.
So How would I do that. All the customer users are in a group/Role. The group has access to there index.
I would give them access to the _internal but how do I restrict access in only the _internal to the search term [series="Customer_Index_group"]
I am on version 4.3.1, build 119532 PS will be onsite to help with the upgrade in 8 weeks. Until then I can not upgrade.
You could give them access to _internal
but restrict that to metrics about their index.
they are for the UF. I know this is maybe not best practice because the metrics.log's put in the customers index count against the license.
Where is the best place to record the UF Metrics Logs so that they don't count agents the license and how could I give this info to the customer without letting them see too much.
Are those metrics from the UFs or from the Indexers?
So that the customer [who did not want to install the splunk UF] can see and troubleshoot splunk UF issues.
Why does your customer index contain Splunk metrics logs?