Dashboards & Visualizations

Is there a way to allow user to access only part of data in an index not all data?

gowthammahes
Path Finder

Hi,

IThere is an application which is used by multiple teams and we are ingesting the application logs for each team in a single index. Here we want to restrict each team people should be accessible only their teams logs not all the data in the index. How do i implement it in splunk?

Thanks in advance.

Gowtham

Labels (1)
0 Karma

gowthammahes
Path Finder

HI @gcusello ,

Thankyou so much for the detailed explanation. let me try the solution which is given by you and @ITWhisperer 

 

Thanks,

Gowtham

0 Karma

gcusello
Esteemed Legend

Hi @gowthammahes,

in general, data are stored in different indexes for two reasons:

  • different accessess grants for different groups of users,
  • different retentio periods.

In your case, you should use one index for each access policy group.

If you didn't you cannod restrict access to a part of an index to a group of users.

The only workaround is the one hinted by @ITWhisperer: create a Summary Index, that doesn't require additional license costs.

In few words, you have to schedule a search that extract only the fields you need from an index and stores them in a summary Index for each group of event.

You can do this scheduling a search (e.g. every hour or every 5 minutes or every day) extracting the data of that period and storing them in a Summary index using the "collect" command (https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Collect).

Then you gave access to each group to one Summary index.

You can find additional information about Summary Indexes at https://docs.splunk.com/Documentation/Splunk/9.0.0/Knowledge/Setupsummaryindexes or https://www.youtube.com/watch?v=joZ3jokt9qs 

Ciao.

Giuseppe

ITWhisperer
SplunkTrust
SplunkTrust

Have you considered "copying" the data to different summary indexes which are then restricted to the relevant teams?

gowthammahes
Path Finder

HI @ITWhisperer , 
Thankyou so much for your quick repsonse.
 Actually, I am new to splunk and dont have much knowledge on summary index.
Do we need to buy additional license for copying/ingesting the data into summary index?
it could be helpful if there is any reference documents ?

Thanks,

Gowtham

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Summary indexes do not count against your licence (they used prior to version 4)

Use summary indexing for increased search efficiency - Splunk Documentation

Get Updates on the Splunk Community!

Avoid Certificate Expiry Issues in Splunk Enterprise with Certificate Assist

This blog post is part 2 of 4 of a series on Splunk Assist. Click the links below to see the other ...

Using Machine Learning for Hunting Security Threats

REGISTER NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more ...

Security Highlights | November 2022 Newsletter

 November 2022 2022 Gartner Magic Quadrant for SIEM: Splunk Named a Leader for the 9th Year in a RowSplunk is ...