IThere is an application which is used by multiple teams and we are ingesting the application logs for each team in a single index. Here we want to restrict each team people should be accessible only their teams logs not all the data in the index. How do i implement it in splunk?
Thanks in advance.
HI @gcusello ,
Thankyou so much for the detailed explanation. let me try the solution which is given by you and @ITWhisperer
in general, data are stored in different indexes for two reasons:
In your case, you should use one index for each access policy group.
If you didn't you cannod restrict access to a part of an index to a group of users.
The only workaround is the one hinted by @ITWhisperer: create a Summary Index, that doesn't require additional license costs.
In few words, you have to schedule a search that extract only the fields you need from an index and stores them in a summary Index for each group of event.
You can do this scheduling a search (e.g. every hour or every 5 minutes or every day) extracting the data of that period and storing them in a Summary index using the "collect" command (https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Collect).
Then you gave access to each group to one Summary index.
You can find additional information about Summary Indexes at https://docs.splunk.com/Documentation/Splunk/9.0.0/Knowledge/Setupsummaryindexes or https://www.youtube.com/watch?v=joZ3jokt9qs
Have you considered "copying" the data to different summary indexes which are then restricted to the relevant teams?
HI @ITWhisperer ,
Thankyou so much for your quick repsonse.
Actually, I am new to splunk and dont have much knowledge on summary index.
Do we need to buy additional license for copying/ingesting the data into summary index?
it could be helpful if there is any reference documents ?
Summary indexes do not count against your licence (they used prior to version 4)
Use summary indexing for increased search efficiency - Splunk Documentation