Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Sourcetype restricted access

splunklearner
Communicator
‎11-14-2024 08:04 PM

Hi all,

We have specific AD group for specific application and we create index for that app and restrict access to that AD group (for all app users of that specific app) for that specific index. Generally they will be given FQDN/Hostname to us and we will be mapping to the particular index.

In this way we have numerous AD groups and indexes.

But our client is expecting less AD groups because it is difficult to maintain those many AD groups. 

So, here my question... is there any chance to reduce AD groups by restricting specific to Source type rather than Index? So in one index can we have multiple applications where we can restrict them by sourcetype? If yes, please help me with the approach?

 

Labels (4)
Labels
0 Karma
Reply

splunklearner
Communicator
‎11-15-2024 12:27 AM

Hi @gcusello ,

How to assign specific index to specific AD group and how to map specific FQDN to that particular index, so that specific AD group should see their logs only? 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-15-2024 12:54 AM

Hi @splunklearner ,

you have to create a Splunk Role for each AD Group.

Then in each role, you have to fix the index to use and/or the additional filtering options.

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-14-2024 11:07 PM

Hi @splunklearner ,

No, the data access is managed in Splunk at index level, but must every AD group see only one ore any indexes?

I suppose that you are trying to manage multitenancy, in this way different indexes is the only solution.

Ciao.

Giuseppe

Reply

splunklearner
Communicator
‎11-14-2024 11:44 PM

For suppose... 'X' application has specific AD group say "Y" and specific index "Z"...

Generally X application team members/owners are in Y group and should access Z index. This is fine till here.

But client concerned about numerous applications having numerous AD groups which will be difficult to maintain.

So for suppose in single AD group can we include multiple app teams with multiple indexes and can we restrict them by sourcetype specifying to that particular app? Is it possible or any other ways to do this? To reduce AD groups at the same time app level restriction should be there. 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-15-2024 12:04 AM

Hi @splunklearner ,

as you well know, AD Groups are associated to one or more Splunk Roles and data access is managed associating Roles and indexes.

You eventually can filter access to the data of the same index inserting a filter (e.g. a sourcetype or one other field), in this way, you can reduce the indexes number but anyway, you have to identify a rule to filter data access;

usually sourcetype isn't the best solution because sourcetype is usually associated to the logs  or to the technology, if you could identify onother field, you could do it.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Top