Hi everyone,
I am in the need to find a way to filter data that specific roles access inside an index.
For example:
This can be achieved by using search filters and it worked ok.
However...
If then, I have a role that can:
This then will not work for roleD. RoleD will not be able to search for the index=firewalls, as the search filters takes precedence and limits the user just to see the data in:
So, I'm trying to find a new solution that can allow me to do what I need to, and summary index came to the idea.
However I'm struggling with something.
When my data is sent to the summary index, it's sourcetype is changed to stash. And then my data is not parsed as is in the original index.
Lets suppose I change the sourcetype from stash to original sourcetype, that then will make me use a lot more license and double it up.
So, that's why I'm asking here for help. What solutions do I have? Am I missing something or doing something wrong?
Thanks in advance if someone can help me on this. 🙂
Yes, the options aren't great. I strongly urge you to consider option #3, however. You're correct about it applying only to new data, but you can use the collect command to copy events to the new indexes (consuming license, of course).
You've discovered why I don't recommend search filters.
A summary index might work. You can get around the parsing problem by assigning a sourcetype other than 'stash' to the summary events. That will count against your ingest license, however.
The better solution is to have separate indexes for each role's data. Access is one of the criteria for creating a new index for data (retention and size management are the others). If you don't want to or can't change the inputs, then consider using Ingest Actions to filter the server data to the proper index.
Ha!
So basically I have no solution.
Option 3, might only be the new option, but I don't know if that makes much sense.
But thank you @richgalloway .
Yes, the options aren't great. I strongly urge you to consider option #3, however. You're correct about it applying only to new data, but you can use the collect command to copy events to the new indexes (consuming license, of course).