- Community
- :
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to make sure Splunk does not search some index...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Guys,
We have 1 indexer and 1 Search head in 2 different datacenter locations. (Lets say DC-A and DC-B)
Since DC-A is being decommissioned, we have been directed to copy the indexed data from the Indexer in DC-A to Indexer in DC-B.
Now, Indexer in DC-B has enough SAN to hold the indexed data from both the Datacenters but we would want to move/store the data in such a way that SH in DC-B is not able to search data from DC-A.
So basically, I am looking at how to store data in indexer but make it non searchable.
Any ideas, how to best proceed with this? Appreciate the help !!
Thanks,
Neerav Mathur
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @neeravmathur,
there only one way to make non searchable an index: removing read grants for all the roles except admin on those indexes.
This is possible if it has a different name, if instead you have the same index name both in DC-A and DC-B it isn't possible block accesses only to data from DC-A.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @neeravmathur,
there only one way to make non searchable an index: removing read grants for all the roles except admin on those indexes.
This is possible if it has a different name, if instead you have the same index name both in DC-A and DC-B it isn't possible block accesses only to data from DC-A.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That worked like a charm !!
Thanks Again...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @neeravmathur,
good for you, see next time!
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated by all the Contributors 😉
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is exactly what I was hoping to hear...Will surely try that and will update you..
Thanks a lot for your quick and prompt response...
Thanks,
Neerav
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @neeravmathur,
nice to help you, tell me if I can help you more, and don't forget to accept the answer at the end of your check
for the other people of Community.
Ciao and happy splunking.
Giuseppe
P.S.: Karma Points are appreciated 😉
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
I'm not sure if I understood your issue correctly or not?
If you want just store that data from old indexers to somewhere, then probably the easiest way is to move from cold to frozen and then store those frozen buckets on some dedicates SAN storage area (separate filesystem on another box). Then you can get those back if needed as a thawed buckets.
If you have data on indexes (hot/warm/cold) then this data is always searchable. Of course you can add search filter to users which contains something like "splunk_server = idx-b" and then users has this restrictions on their searches. IMHO: personally I don't like search filters as those usually generates more issues than solves on long run.
r. Ismo
Devesh Logendran, Splunk, and the Singapore Cyber Conquest
There's No Place Like Chrome and the Splunk Platform
Customer Experience | Join the Customer Advisory Board!
