- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How to exclude searching of certain indexers b...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a shared search head used by different groups where those groups have set up their own indexers. They want to use our search head, but we don't want them to search across our indexers or vice versa. Right now, the only way I can do this is a search restriction at a role level which says splunk_server!=<indexer_name>. Seems like this is just prefixing a search, and I am just wondering if there is a more efficient way of doing this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is an unusual configuration. Generally, you should use separate search heads in this case.
But if you want to share the search head, I think you have hit upon the only solution that I know - unless each group has used a unique set of names for their indexes.
For example: Group A uses indexes named web and security. Group B uses indexes named OS and network. No one uses the main index. In this case, you could set the index visibility for the roles instead of using the search restriction. This might be more efficient.
Often though, both groups will have used the main index on their indexers - leaving you only with the search restriction solution that you have already discovered.
IF the search load is light, you could also designate one of the indexers as the search head for a team, and have it search the other indexers. This solution is best for 4 indexers or fewer. If one set of indexers is small enough, this will allow you to separate the search heads for the teams.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is an unusual configuration. Generally, you should use separate search heads in this case.
But if you want to share the search head, I think you have hit upon the only solution that I know - unless each group has used a unique set of names for their indexes.
For example: Group A uses indexes named web and security. Group B uses indexes named OS and network. No one uses the main index. In this case, you could set the index visibility for the roles instead of using the search restriction. This might be more efficient.
Often though, both groups will have used the main index on their indexers - leaving you only with the search restriction solution that you have already discovered.
IF the search load is light, you could also designate one of the indexers as the search head for a team, and have it search the other indexers. This solution is best for 4 indexers or fewer. If one set of indexers is small enough, this will allow you to separate the search heads for the teams.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the help. The primary reason for doing this is because this same group also shares our VirtualCenter, therefore our instance is already pulling in all of their vmware cluster data with the exception of their actual syslogs. There doesn't appear to be a way in the vmware app to segregate multi-tenant vcenter clusters so this was the next best thing we could come up with.
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
