Dashboards & Visualizations
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is there a way to allow user to access only part of data in an index not all data?

gowthammahes
Path Finder
‎08-24-2022 07:05 AM

Hi,

IThere is an application which is used by multiple teams and we are ingesting the application logs for each team in a single index. Here we want to restrict each team people should be accessible only their teams logs not all the data in the index. How do i implement it in splunk?

Thanks in advance.

Gowtham

0 Karma
Reply

gowthammahes
Path Finder
‎08-24-2022 07:43 AM

HI @gcusello ,

Thankyou so much for the detailed explanation. let me try the solution which is given by you and @ITWhisperer 

 

Thanks,

Gowtham

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-24-2022 07:35 AM

Hi @gowthammahes,

in general, data are stored in different indexes for two reasons:

  • different accessess grants for different groups of users,
  • different retentio periods.

In your case, you should use one index for each access policy group.

If you didn't you cannod restrict access to a part of an index to a group of users.

The only workaround is the one hinted by @ITWhisperer: create a Summary Index, that doesn't require additional license costs.

In few words, you have to schedule a search that extract only the fields you need from an index and stores them in a summary Index for each group of event.

You can do this scheduling a search (e.g. every hour or every 5 minutes or every day) extracting the data of that period and storing them in a Summary index using the "collect" command (https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Collect).

Then you gave access to each group to one Summary index.

You can find additional information about Summary Indexes at https://docs.splunk.com/Documentation/Splunk/9.0.0/Knowledge/Setupsummaryindexes or https://www.youtube.com/watch?v=joZ3jokt9qs 

Ciao.

Giuseppe

Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-24-2022 07:17 AM

Have you considered "copying" the data to different summary indexes which are then restricted to the relevant teams?

Reply

gowthammahes
Path Finder
‎08-24-2022 07:24 AM

HI @ITWhisperer , 
Thankyou so much for your quick repsonse.
 Actually, I am new to splunk and dont have much knowledge on summary index.
Do we need to buy additional license for copying/ingesting the data into summary index?
it could be helpful if there is any reference documents ?

Thanks,

Gowtham

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-24-2022 07:33 AM

Summary indexes do not count against your licence (they used prior to version 4)

Use summary indexing for increased search efficiency - Splunk Documentation

Reply
Get Updates on the Splunk Community!

Fueling your curiosity with new Splunk ILT and eLearning courses

At Splunk Education, we’re driven by curiosity—both ours and yours! That’s why we’re committed to delivering ...

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Splunk AI Assistant for SPL has transformed how users interact with Splunk, making it easier than ever to ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureOn Demand Now Step boldly into the AI revolution with enhanced security ...
Top