Hey all:
We've got a private cloud (Eucalyptus) and we are using Splunk to help monitor and manage certain aspects of the cloud environment. One aspect is that we want to give cloud accounts their own Splunk account and allow them to use the Unix app to monitor the health of the VMs they are running. They should only be able to see Unix data for the VMs they "own" and no data for any other VMs running in the cloud under a different cloud account.
Each Splunk account that corresponds to a cloud account will have read access to only 2 indexes:
1) an index for their non "OS" data
2) an index for their "OS" data with naming convention "os_[account_name]"
This will limit the user to only see OS data in the Unix app for the data in their OS specific index.
The change on the forwarder is very straight forward and I have seen discussed here before. All that needs to be done is to make a inputs.conf in the local dir of the unix app and change "index=os" to send data to the new index for the corresponding VM owner, "index=os_[account_name]".
The change on the actual unix app on the central web/indexer that users will use when they log into the Splunk web interface is not as straight forward. I'm assuming I need to change all occurrences of "index=os" in multiple files under [SPLUNK_HOME]/etc/apps/unix/default to "index=os*" so that the unix app will search all "OS" related indexes instead of just the single "os" index and only return data from the OS indexes that the user is allowed to see (RBAC). There are multiple files that contain "index=os" with many occurrences.....
The files I think I would need to make my own "local" copies of for this change are:
1) [SPLUNK_HOME]/etc/apps/unix/default/macros.conf
2) [SPLUNK_HOME]/etc/apps/unix/default/data/ui/views (bunch of files here)
3) [SPLUNK_HOME]/etc/apps/unix/default/savedsearches.conf (most important?)
Basically the question is how can I make the Unix app web interface (dashboard/searches) still work if I want it to use a different index than the default "index=os" ?? Do I really need to change every occurrence of "index=os" in all the above files?
Thanks for any and all suggestions!
Cheers,
Erik
... View more