I have a proxy that serves to several clients. All logs goes to splunk and they are processed to a single index. Most of my clients has more than one IP range, so I cannot split the clients on separate indexes. I configured a Lookup to map those IPs range to the name of the client.
Now, I want to make a dashboard with several information to specific clients, so they will login into splunk and see those informations, but they cannot see other's client information nor make other searches.
I've been looking over for an answer and tried a lot of solutions, but nothing worked perfectly.
I've tried to use the Search Restrictions of the role, put clientname=CLIENT1, but I think it does not work when the clientname field is a lookup (automatic or not), because when I set that, log with that user and go to PIVOT, nothing matches with that user.
So, how can I limit any information of other clients to be searched, and how can I make a dashboard to be shown when that client logs in ?
My splunk version is 6.0.
Thanks for any help !
Do you provide information to client using just the dashboards or do they have access to Splunk's default search app as well?
The dashboard can be as simple as creating an App, and denying the roles required to a single App. Once that is done, I'd create Dashboards under this "restricted app" that only each client can view based on role. This will effectively limit what data is being presented to each client. For example:
Client A has a restricted role "clienta_role" limiting search to "(index=myindex gravity=0.49)"
Allow "clienta_role" read access in the "Restricted App".
Allow "clienta_role" Read/write to "Client A Stats" Dashboard. No other roles except admin should be added to the role or dashboard.
Set the default App for Client A as "Restricted App".
Ok, I've done that ! Thanks !
Now, I have to decide whether to make an App to each client or several dashb. on on single App. To show a dash. directly to the user I'll have to make one App for each, unless there's a way to config a dynamic view.
But the principal problem here is that I've restricted the user, configured panels with some reports. Now I'm getting a "Warning: saved search not found: XXXXXXX" in the panel. With an admin user it does not happen.
I was getting also an error:
In handler 'savedsearch': Error in 'PivotProcessor': In handler 'xxxxx'
But it seems to be solved alone.