Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Sourcetype restricted access

splunklearner
Communicator
‎11-14-2024 08:04 PM

Hi all,

We have specific AD group for specific application and we create index for that app and restrict access to that AD group (for all app users of that specific app) for that specific index. Generally they will be given FQDN/Hostname to us and we will be mapping to the particular index.

In this way we have numerous AD groups and indexes.

But our client is expecting less AD groups because it is difficult to maintain those many AD groups. 

So, here my question... is there any chance to reduce AD groups by restricting specific to Source type rather than Index? So in one index can we have multiple applications where we can restrict them by sourcetype? If yes, please help me with the approach?

 

Labels (4)
Labels
0 Karma
Reply

splunklearner
Communicator
‎11-15-2024 12:27 AM

Hi @gcusello ,

How to assign specific index to specific AD group and how to map specific FQDN to that particular index, so that specific AD group should see their logs only? 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-15-2024 12:54 AM

Hi @splunklearner ,

you have to create a Splunk Role for each AD Group.

Then in each role, you have to fix the index to use and/or the additional filtering options.

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-14-2024 11:07 PM

Hi @splunklearner ,

No, the data access is managed in Splunk at index level, but must every AD group see only one ore any indexes?

I suppose that you are trying to manage multitenancy, in this way different indexes is the only solution.

Ciao.

Giuseppe

Reply

splunklearner
Communicator
‎11-14-2024 11:44 PM

For suppose... 'X' application has specific AD group say "Y" and specific index "Z"...

Generally X application team members/owners are in Y group and should access Z index. This is fine till here.

But client concerned about numerous applications having numerous AD groups which will be difficult to maintain.

So for suppose in single AD group can we include multiple app teams with multiple indexes and can we restrict them by sourcetype specifying to that particular app? Is it possible or any other ways to do this? To reduce AD groups at the same time app level restriction should be there. 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-15-2024 12:04 AM

Hi @splunklearner ,

as you well know, AD Groups are associated to one or more Splunk Roles and data access is managed associating Roles and indexes.

You eventually can filter access to the data of the same index inserting a filter (e.g. a sourcetype or one other field), in this way, you can reduce the indexes number but anyway, you have to identify a rule to filter data access;

usually sourcetype isn't the best solution because sourcetype is usually associated to the logs  or to the technology, if you could identify onother field, you could do it.

Ciao.

Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...