Dashboards & Visualizations

Is there a way to allow user to access only part of data in an index not all data?

gowthammahes
Path Finder

Hi,

IThere is an application which is used by multiple teams and we are ingesting the application logs for each team in a single index. Here we want to restrict each team people should be accessible only their teams logs not all the data in the index. How do i implement it in splunk?

Thanks in advance.

Gowtham

Labels (1)
0 Karma

gowthammahes
Path Finder

HI @gcusello ,

Thankyou so much for the detailed explanation. let me try the solution which is given by you and @ITWhisperer 

 

Thanks,

Gowtham

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @gowthammahes,

in general, data are stored in different indexes for two reasons:

  • different accessess grants for different groups of users,
  • different retentio periods.

In your case, you should use one index for each access policy group.

If you didn't you cannod restrict access to a part of an index to a group of users.

The only workaround is the one hinted by @ITWhisperer: create a Summary Index, that doesn't require additional license costs.

In few words, you have to schedule a search that extract only the fields you need from an index and stores them in a summary Index for each group of event.

You can do this scheduling a search (e.g. every hour or every 5 minutes or every day) extracting the data of that period and storing them in a Summary index using the "collect" command (https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Collect).

Then you gave access to each group to one Summary index.

You can find additional information about Summary Indexes at https://docs.splunk.com/Documentation/Splunk/9.0.0/Knowledge/Setupsummaryindexes or https://www.youtube.com/watch?v=joZ3jokt9qs 

Ciao.

Giuseppe

ITWhisperer
SplunkTrust
SplunkTrust

Have you considered "copying" the data to different summary indexes which are then restricted to the relevant teams?

gowthammahes
Path Finder

HI @ITWhisperer , 
Thankyou so much for your quick repsonse.
 Actually, I am new to splunk and dont have much knowledge on summary index.
Do we need to buy additional license for copying/ingesting the data into summary index?
it could be helpful if there is any reference documents ?

Thanks,

Gowtham

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Summary indexes do not count against your licence (they used prior to version 4)

Use summary indexing for increased search efficiency - Splunk Documentation

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...