Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Can I define a role whose only ability is to post data to a specific index?

juniormint
Communicator
‎06-03-2013 01:32 PM

Right now my app sends logs to a raw tcp input. Seems like this is effectively saying that anyone can add data to that input, but whoever configured it ultimately controls where the data is stored (which index(s)).

Can I instead define a role whose only ability is to post data to a specific index?

I was looking through the role capabilities and nothing jumped out at me, but I am new and may just be missing something.

http://docs.splunk.com/Documentation/Splunk/latest/Security/Rolesandcapabilities

Tags (1)
0 Karma
Reply

Voltaire
Communicator
‎06-03-2013 02:18 PM

One way would be to create a new data input, send it to a specific index, create an application\dashboard with that index and associated searches, then assign users to that application. You can also assign specific rights and rles to that app in Access controls, Users.
HTHs

0 Karma
Reply

lguinn2
Legend
‎06-03-2013 01:46 PM

In general, roles constrain who can search an index.

Setting up an input is the only way to write to an index. The Splunk user who sets up a TCP input can specify the port number and restrict the input to data coming from a specific server (via IP or DNS name). He/she also defines the index that will store the data.

Only Splunk admins have the privileges to set up an input, unless you specifically give that capability to another role. I don't know why you would do that.

Splunk cannot control who or what sends data to a particular TCP port. So it would be up to you to control the origination of the data, via iptables, firewall rules or other means, to make sure that only the data you want arrives on the TCP port.

Reply

lguinn2
Legend
‎06-08-2013 11:48 AM

No, the assigned index can be set in inputs.conf, which is set on whatever server is listening to the TCP input.

However, you could use props.conf and transforms.conf to route TCP events to different indexes based on the hostname. But this has to be done on the indexer...

[stanza_name]
SOURCE_KEY = MetaData:Host
REGEX = (?i)filer
DEST_KEY = _MetaData:Index
FORMAT = filer_index

For any host name that has the string filer, send the events to the filer_index.

http://docs.splunk.com/Documentation/Splunk/5.0.3/Indexer/Setupmultipleindexes#Route_specific_events...

0 Karma
Reply

juniormint
Communicator
‎06-03-2013 02:41 PM

Thanks this is more or less how I thought it works. I think the answer to this next question is no, but can the assigned index for a TCP input be overriden by the sender of an event?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...