Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Index Volume, Licence Use Question

hartfoml
Motivator
‎04-07-2014 05:19 AM

I am using this search to find volume for systems reporting to one index

index="_internal" source="*metrics.log" per_index_thruput series="Customer_Index_group" | stats sum(kb) as kb_indexed | eval GB = round(kb_indexed/1024/1024,2) | gauge GB 0 7 14 21 28

I can then search the metrics logs reported from the systems like this

index="Customer_Index" source="*metrics.log" per_index_thruput series="Customer_Index_group" | stats sum(kb) as kb_indexed | eval GB = round(kb_indexed/1024/1024,2) | gauge GB 0 7 14 21 28

However these two numbers are very different.
Granted the search on the _internal index runes much faster, but my users do not have access to the _internal index and they would like to know who much data there index is using. I see a volume that is much larger on the search form index=_internal than they can see using index="Customer_Index".

Why would the _internal index show more than the info from the $splunk/etc/var/log/splunk/metrics.log?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-07-2014 06:22 AM

You give their role access to _internal and add this to their search restriction terms:

(index!=_internal OR (source=*metrics.log series="Customer_Index"))

In this fashion you could also give them access to their entire UF logs by adding their hosts (or a host tag) here.

http://docs.splunk.com/Documentation/Splunk/4.3.1/Admin/Addandeditroles#Search_filter_format

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-07-2014 06:22 AM

You give their role access to _internal and add this to their search restriction terms:

(index!=_internal OR (source=*metrics.log series="Customer_Index"))

In this fashion you could also give them access to their entire UF logs by adding their hosts (or a host tag) here.

http://docs.splunk.com/Documentation/Splunk/4.3.1/Admin/Addandeditroles#Search_filter_format

Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-08-2014 01:35 PM

I recommend keeping the restriction on the source field in _internal - else they'll be able to see random events that happen to contain series=customer_index caught by default key-value extraction.

0 Karma
Reply
Solved! Jump to solution

hartfoml
Motivator
‎04-08-2014 01:33 PM

this is the final filer if anyone is interested. Thanks Martin for getting me there

index=customer_index OR (index=_internal AND series="customer_index")

0 Karma
Reply
Solved! Jump to solution

hartfoml
Motivator
‎04-07-2014 06:27 AM

I will try this out as soon as I can. Could you add this as your answer and if it works I can give you credit for the answer 🙂

0 Karma
Reply
Solved! Jump to solution

hartfoml
Motivator
‎04-07-2014 06:19 AM

Thanks for helping Martin, I really appreciate it.

So How would I do that. All the customer users are in a group/Role. The group has access to there index.

I would give them access to the _internal but how do I restrict access in only the _internal to the search term [series="Customer_Index_group"]

I am on version 4.3.1, build 119532 PS will be onsite to help with the upgrade in 8 weeks. Until then I can not upgrade.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-07-2014 06:08 AM

You could give them access to _internal but restrict that to metrics about their index.

0 Karma
Reply
Solved! Jump to solution

hartfoml
Motivator
‎04-07-2014 05:53 AM

they are for the UF. I know this is maybe not best practice because the metrics.log's put in the customers index count against the license.

Where is the best place to record the UF Metrics Logs so that they don't count agents the license and how could I give this info to the customer without letting them see too much.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-07-2014 05:49 AM

Are those metrics from the UFs or from the Indexers?

0 Karma
Reply
Solved! Jump to solution

hartfoml
Motivator
‎04-07-2014 05:47 AM

So that the customer [who did not want to install the splunk UF] can see and troubleshoot splunk UF issues.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-07-2014 05:38 AM

Why does your customer index contain Splunk metrics logs?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...