Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to make sure Splunk does not search some indexes?

neeravmathur
Path Finder
‎03-16-2022 11:19 PM

Hi Guys,

We have 1 indexer and 1 Search head in 2 different datacenter locations. (Lets say DC-A and DC-B)

Since DC-A is being decommissioned, we have been directed to copy the indexed data from the Indexer in DC-A to Indexer in DC-B. 

Now, Indexer in DC-B has enough SAN to hold the indexed data from both the Datacenters but we would want to move/store the data in such a way that SH in DC-B is not able to search data from DC-A.

So basically, I am looking at how to store data in indexer but make it non searchable.

Any ideas, how to best proceed with this? Appreciate the help !!

Thanks,

Neerav Mathur 

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-17-2022 12:26 AM

Hi @neeravmathur,

there only one way to make non searchable an index: removing read grants for all the roles except admin on those indexes.

This is possible if it has a different name, if instead you have the same index name both in DC-A and DC-B it isn't possible block accesses only to data from DC-A.

Ciao.

Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-17-2022 12:26 AM

Hi @neeravmathur,

there only one way to make non searchable an index: removing read grants for all the roles except admin on those indexes.

This is possible if it has a different name, if instead you have the same index name both in DC-A and DC-B it isn't possible block accesses only to data from DC-A.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

neeravmathur
Path Finder
‎03-20-2022 10:35 PM

That worked like a charm !!

Thanks Again...

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-21-2022 12:47 AM

Hi @neeravmathur,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the Contributors 😉

0 Karma
Reply
Solved! Jump to solution

neeravmathur
Path Finder
‎03-17-2022 07:44 AM

@gcusello 

This is exactly what I was hoping to hear...Will surely try that and will update you..

Thanks a lot for your quick and prompt response...

Thanks,

Neerav

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-17-2022 08:00 AM

Hi @neeravmathur,

nice to help you, tell me if I can help you more, and don't forget to accept the answer at the end of your check

for the other people of Community.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎03-17-2022 12:25 AM

Hi

I'm not sure if I understood your issue correctly or not?

If you want just store that data from old indexers to somewhere, then probably the easiest way is to move from cold to frozen and then store those frozen buckets on some dedicates SAN storage area (separate filesystem on another box). Then you can get those back if needed as a thawed buckets.

If you have data on indexes (hot/warm/cold) then this data is always searchable. Of course you can add search filter to users which contains something like "splunk_server = idx-b" and then users has this restrictions on their searches. IMHO: personally I don't like search filters as those usually generates more issues than solves on long run.

r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

Fueling your curiosity with new Splunk ILT and eLearning courses

At Splunk Education, we’re driven by curiosity—both ours and yours! That’s why we’re committed to delivering ...

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Splunk AI Assistant for SPL has transformed how users interact with Splunk, making it easier than ever to ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureOn Demand Now Step boldly into the AI revolution with enhanced security ...