Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to make sure Splunk does not search some indexes?

neeravmathur
Path Finder
‎03-16-2022 11:19 PM

Hi Guys,

We have 1 indexer and 1 Search head in 2 different datacenter locations. (Lets say DC-A and DC-B)

Since DC-A is being decommissioned, we have been directed to copy the indexed data from the Indexer in DC-A to Indexer in DC-B. 

Now, Indexer in DC-B has enough SAN to hold the indexed data from both the Datacenters but we would want to move/store the data in such a way that SH in DC-B is not able to search data from DC-A.

So basically, I am looking at how to store data in indexer but make it non searchable.

Any ideas, how to best proceed with this? Appreciate the help !!

Thanks,

Neerav Mathur 

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-17-2022 12:26 AM

Hi @neeravmathur,

there only one way to make non searchable an index: removing read grants for all the roles except admin on those indexes.

This is possible if it has a different name, if instead you have the same index name both in DC-A and DC-B it isn't possible block accesses only to data from DC-A.

Ciao.

Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-17-2022 12:26 AM

Hi @neeravmathur,

there only one way to make non searchable an index: removing read grants for all the roles except admin on those indexes.

This is possible if it has a different name, if instead you have the same index name both in DC-A and DC-B it isn't possible block accesses only to data from DC-A.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

neeravmathur
Path Finder
‎03-20-2022 10:35 PM

That worked like a charm !!

Thanks Again...

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-21-2022 12:47 AM

Hi @neeravmathur,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the Contributors 😉

0 Karma
Reply
Solved! Jump to solution

neeravmathur
Path Finder
‎03-17-2022 07:44 AM

@gcusello 

This is exactly what I was hoping to hear...Will surely try that and will update you..

Thanks a lot for your quick and prompt response...

Thanks,

Neerav

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-17-2022 08:00 AM

Hi @neeravmathur,

nice to help you, tell me if I can help you more, and don't forget to accept the answer at the end of your check

for the other people of Community.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎03-17-2022 12:25 AM

Hi

I'm not sure if I understood your issue correctly or not?

If you want just store that data from old indexers to somewhere, then probably the easiest way is to move from cold to frozen and then store those frozen buckets on some dedicates SAN storage area (separate filesystem on another box). Then you can get those back if needed as a thawed buckets.

If you have data on indexes (hot/warm/cold) then this data is always searchable. Of course you can add search filter to users which contains something like "splunk_server = idx-b" and then users has this restrictions on their searches. IMHO: personally I don't like search filters as those usually generates more issues than solves on long run.

r. Ismo

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

What Is Splunk? Here’s What You Can Do with Splunk

Hey Splunk Community, we know you know Splunk. You likely leverage its unparalleled ability to ingest, index, ...

Level Up Your .conf25: Splunk Arcade Comes to Boston

With .conf25 right around the corner in Boston, there’s a lot to look forward to — inspiring keynotes, ...

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Although it might seem daunting, as we’ve seen in this series, manual instrumentation can be straightforward ...