Archive

Masking _raw after indexing depending on Role

Path Finder

I know that there are a lot of answers regarding masking data and it all comes down to masking it at index time. However, I have two different groups of users that need access to the same data, depending on their role it may or may not need to be masked. How can I provide a solution to both groups without having to index this data twice?

0 Karma

SplunkTrust
SplunkTrust

maybe you could use summary indexes for the team that needs the data masked ...
summarize only the data that is important to them.

0 Karma

SplunkTrust
SplunkTrust

As @adino said use summary indexes to provide the events to each of the groups/roles OR create datamodels for each of them and mask or just provide the events they need, and accelerate the datamodel once done.

cheers, MuS

0 Karma