Thanks javiergn,

Yeah, i'll appreciate if you can explain more to me. Your suggestion sound less painful in the long run.

But i've a little issue here, i dont have a database. All the incoming data are syslog and pass directly to Splunk to process. Maybe your SQL quey methods will still works and i'm willing to give it a shot.

what your email or you can drop me an email @ p.zhao.y@gmail.com and we can discuss more from there.

Thanks

Hi,

If you can't easily import the files into SQL then the suggestion @jkat54 made is probably better:

• Create one app per department
• Grant that department access to the app
• Place each CSV within the context of its respective application. You can even use the same names

Another alternative is to have a master CSV file in the same way as I suggested within SQL:

• This master CSV file will contain all your data and also one or two more columns with the department and username that can see every row.
• Create an app for all your users in order to have a more granular access control
• Then create a dashboard/report that runs your lookup against the csv file and filters (using search or where) those results based on the name of the current user.
• You also need to ensure those users can't run custom searches (disable the search view for them) outside your dashboard or modify the dashboard/report, otherwise they'll be able to see the whole file

Does that make sense?

Thanks,

Yeah, it does make sense. I've a talk with my guys over the week and they said @jkat54 suggestion is prob the easiest way to go ahead.

As for creating of app, assuming if i've 100 departments, I'll have to create 100 apps, will that affect the performance?

As for searches, we have remove the view and everything is all run on background.

Hi,

An app by itself does not have an impact in performance. It all depends on what the app is doing. An app is just a bunch of config files pretty much, if the app is not running any background searches or something like that, the impact shouldn't be noticeable.

The only problem I see with 100 apps is from a GUI point of view. If you have access to 100 apps because you are a power user or admin, then you'll see 100 icons in your home page. Your home page is customisable anyway.

Managing those 100 apps could be a problem too if they are very different to each other. If not you can always script the creation.

Hi,

not too sure if this is allow but since we're taking about performance.

But I'm running 12 background searches, of which;
There are 10 searches that are calculating Averages:
And 7 that are calculating Total/Sum
Some of the charts are running both Total/Sum and Average.

I'm just wondering if there is any ways i can check and see which searches are affecting the performance, as the latest version is very laggy as compared to my previous version.

Thanks

You can click on the Activity tab and then Jobs to see the list of tasks currently running and some performance stats. You can use tools such as Splunk On Splunk if you want more details, but if this is still a problem I would recommend posting a new question about it as it'll reach more people.

THanks,
J

Thanks jkat54,

But i'll need them to access their respective lookup file and make changes, if necessary.
You suggested Read-Only, not too sure that will work.

My main worry is only let respective Department view their respective lookup, I'm afraid of overlap here or how can Splunk handle that.

@jkat54
Hey jkat54, I'm wondering if you're free to discuss about working on splunk project?
I've a Splunk Project but i'm looking for a Splunk Consultant to carry on working onto the next step.

If you're interested, drop me an email @ gambit_remy08@hotmail.com ....