Dear all,
I'm in the process of grouping hosts by location. I would like it to be based on the hostname.
The goal is to limit users and show them only logs they're supposed to have access to.
I managed to add a tag to an event type, and then I discovered it is possible to add metadata to events.
Is it possible to segregate access this way too ? What is the best practice for this ?
Thanks in advance
Hi @romainbouajila,
in Splunk access to data is managed only at index level, so if you want to segregate access to logs of a group of hosts, you have to put the logs from these servers in a dedicated index, so you can enable only one or more roles to access this index.
You can do this in two ways:
To override index on Indexers, you have to create:
props.conf
[host::yourhost]
TRANSFORMS-override_host = override_host
transforms.conf
[override_host]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = your_host
Ciao.
Giuseppe
Hi @romainbouajila,
in Splunk access to data is managed only at index level, so if you want to segregate access to logs of a group of hosts, you have to put the logs from these servers in a dedicated index, so you can enable only one or more roles to access this index.
You can do this in two ways:
To override index on Indexers, you have to create:
props.conf
[host::yourhost]
TRANSFORMS-override_host = override_host
transforms.conf
[override_host]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = your_host
Ciao.
Giuseppe
Hi @romainbouajila,
good for You.
Ciao and happy splunking.
Giuseppe
P.S.: Karma Points are appreciated 😉