I have a main centralized splunk index server with logs for 50+ hosts. I have a secondary Splunk instance for a smaller application where it logs its own data. I would like to set the smaller instance up as a search head to the centralized server so it can see a small subset of data on the central server which is isolated to one index.
How do I restrict what the search head sees on the search peer, or can it see everything?
Note - not talking about restricting the search which is topic of another question but the access to ensure they don't see other data at all.
Currently the search head sees everything. We're considering adding the concept of an "search head user account" on the indexer to allow the indexer administrator to restrict what the search head can do, but this would come in a future release.
I'm also wanting to do this. Another group within our organisation uses Splunk. I want to allow them to add my Splunk indexers as search peers, but only see data that's relevant to them Any updates?
Is it now possible to restrict distributed searches on the indexers ?