Splunk Search

In a Distributed Search environment, how do I restrict what indexes (or sources) the Search head sees on the Search Peer?

warrenpage
Explorer

I have a main centralized splunk index server with logs for 50+ hosts. I have a secondary Splunk instance for a smaller application where it logs its own data. I would like to set the smaller instance up as a search head to the centralized server so it can see a small subset of data on the central server which is isolated to one index.

How do I restrict what the search head sees on the search peer, or can it see everything?

Note - not talking about restricting the search which is topic of another question but the access to ensure they don't see other data at all.

Tags (1)
1 Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee

Currently the search head sees everything. We're considering adding the concept of an "search head user account" on the indexer to allow the indexer administrator to restrict what the search head can do, but this would come in a future release.

View solution in original post

Kellhart
Engager

splunk_server= ?

0 Karma

splunk_bit
New Member

Is it now possible to restrict distributed searches on the indexers ?

0 Karma

Stephen_Sorkin
Splunk Employee
Splunk Employee

Currently the search head sees everything. We're considering adding the concept of an "search head user account" on the indexer to allow the indexer administrator to restrict what the search head can do, but this would come in a future release.

finnbar
New Member

I'm also wanting to do this. Another group within our organisation uses Splunk. I want to allow them to add my Splunk indexers as search peers, but only see data that's relevant to them Any updates?

0 Karma

warrenpage
Explorer

thanks that answers my question

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...