Splunk Search

How to make sure Splunk does not search some indexes?

neeravmathur
Path Finder

Hi Guys,

We have 1 indexer and 1 Search head in 2 different datacenter locations. (Lets say DC-A and DC-B)

Since DC-A is being decommissioned, we have been directed to copy the indexed data from the Indexer in DC-A to Indexer in DC-B. 

Now, Indexer in DC-B has enough SAN to hold the indexed data from both the Datacenters but we would want to move/store the data in such a way that SH in DC-B is not able to search data from DC-A.

So basically, I am looking at how to store data in indexer but make it non searchable.

Any ideas, how to best proceed with this? Appreciate the help !!

Thanks,

Neerav Mathur 

Labels (1)
Tags (2)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @neeravmathur,

there only one way to make non searchable an index: removing read grants for all the roles except admin on those indexes.

This is possible if it has a different name, if instead you have the same index name both in DC-A and DC-B it isn't possible block accesses only to data from DC-A.

Ciao.

Giuseppe

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @neeravmathur,

there only one way to make non searchable an index: removing read grants for all the roles except admin on those indexes.

This is possible if it has a different name, if instead you have the same index name both in DC-A and DC-B it isn't possible block accesses only to data from DC-A.

Ciao.

Giuseppe

0 Karma

neeravmathur
Path Finder

That worked like a charm !!

Thanks Again...

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @neeravmathur,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the Contributors 😉

0 Karma

neeravmathur
Path Finder

@gcusello 

This is exactly what I was hoping to hear...Will surely try that and will update you..

Thanks a lot for your quick and prompt response...

Thanks,

Neerav

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @neeravmathur,

nice to help you, tell me if I can help you more, and don't forget to accept the answer at the end of your check

for the other people of Community.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

I'm not sure if I understood your issue correctly or not?

If you want just store that data from old indexers to somewhere, then probably the easiest way is to move from cold to frozen and then store those frozen buckets on some dedicates SAN storage area (separate filesystem on another box). Then you can get those back if needed as a thawed buckets.

If you have data on indexes (hot/warm/cold) then this data is always searchable. Of course you can add search filter to users which contains something like "splunk_server = idx-b" and then users has this restrictions on their searches. IMHO: personally I don't like search filters as those usually generates more issues than solves on long run.

r. Ismo

0 Karma
Get Updates on the Splunk Community!

Fueling your curiosity with new Splunk ILT and eLearning courses

At Splunk Education, we’re driven by curiosity—both ours and yours! That’s why we’re committed to delivering ...

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Splunk AI Assistant for SPL has transformed how users interact with Splunk, making it easier than ever to ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureOn Demand Now Step boldly into the AI revolution with enhanced security ...