Dashboards & Visualizations

Is there a way to allow user to access only part of data in an index not all data?

gowthammahes
Path Finder

Hi,

IThere is an application which is used by multiple teams and we are ingesting the application logs for each team in a single index. Here we want to restrict each team people should be accessible only their teams logs not all the data in the index. How do i implement it in splunk?

Thanks in advance.

Gowtham

Labels (1)
0 Karma

gowthammahes
Path Finder

HI @gcusello ,

Thankyou so much for the detailed explanation. let me try the solution which is given by you and @ITWhisperer 

 

Thanks,

Gowtham

0 Karma

gcusello
Esteemed Legend

Hi @gowthammahes,

in general, data are stored in different indexes for two reasons:

  • different accessess grants for different groups of users,
  • different retentio periods.

In your case, you should use one index for each access policy group.

If you didn't you cannod restrict access to a part of an index to a group of users.

The only workaround is the one hinted by @ITWhisperer: create a Summary Index, that doesn't require additional license costs.

In few words, you have to schedule a search that extract only the fields you need from an index and stores them in a summary Index for each group of event.

You can do this scheduling a search (e.g. every hour or every 5 minutes or every day) extracting the data of that period and storing them in a Summary index using the "collect" command (https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Collect).

Then you gave access to each group to one Summary index.

You can find additional information about Summary Indexes at https://docs.splunk.com/Documentation/Splunk/9.0.0/Knowledge/Setupsummaryindexes or https://www.youtube.com/watch?v=joZ3jokt9qs 

Ciao.

Giuseppe

ITWhisperer
SplunkTrust
SplunkTrust

Have you considered "copying" the data to different summary indexes which are then restricted to the relevant teams?

gowthammahes
Path Finder

HI @ITWhisperer , 
Thankyou so much for your quick repsonse.
 Actually, I am new to splunk and dont have much knowledge on summary index.
Do we need to buy additional license for copying/ingesting the data into summary index?
it could be helpful if there is any reference documents ?

Thanks,

Gowtham

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Summary indexes do not count against your licence (they used prior to version 4)

Use summary indexing for increased search efficiency - Splunk Documentation

Get Updates on the Splunk Community!

Announcing General Availability of Splunk Incident Intelligence!

Digital transformation is real! Across industries, companies big and small are going through rapid digital ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...