Deployment Architecture

Masking _raw after indexing depending on Role

JordanPeterson
Path Finder

I know that there are a lot of answers regarding masking data and it all comes down to masking it at index time. However, I have two different groups of users that need access to the same data, depending on their role it may or may not need to be masked. How can I provide a solution to both groups without having to index this data twice?

0 Karma

adonio
Ultra Champion

maybe you could use summary indexes for the team that needs the data masked ...
summarize only the data that is important to them.

0 Karma

MuS
SplunkTrust
SplunkTrust

As @adino said use summary indexes to provide the events to each of the groups/roles OR create datamodels for each of them and mask or just provide the events they need, and accelerate the datamodel once done.

cheers, MuS

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...