×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
dmbuhler
Engager
Member since: ‎11-11-2022
‎11-16-2022
Community Statistics
Posts 2
Solutions 0
Karma Given 2
Karma Received 0
Member Since ‎11-11-2022
View All

Re: How to filter access to data inside same index...

by in Getting Data In
‎11-11-2022 07:37 AM
‎11-11-2022 07:37 AM
Ha! So basically I have no solution. Search Filters - Not a solution, because one role affects the others. Summary Index - No solution because I will need to change the sourcetye which will consume me more license Change my indexing - to send the data to different indexes (might work) but only for new data, and will also escalate even more the number of indexes that we manage. Option 3, might only be the new option, but I don't know if that makes much sense. But thank you @richgalloway .     ... View more

How to filter access to data inside same index to ...

by in Getting Data In
‎11-11-2022 03:25 AM
‎11-11-2022 03:25 AM
Hi everyone, I am in the need to find a way to filter data that specific roles access inside an index. For example: Index=servers The index has servers from windows, linux, and ostype3 We want to have the following: roleA has access to index=servers (but just sees windows servers) roleB has access to index=servers (but just see linux servers) roleC has access to index=servers (but just see ostype3 servers) This can be achieved by using search filters and it worked ok. However... If then, I have a role that can: RoleD has access to index=servers (but just see windows servers)  RoleD has access to index=firewalls This then will not work for roleD. RoleD will not be able to search for the index=firewalls, as the search filters takes precedence and limits the user just to see the data in: RoleD has access to index=servers (but just see windows servers)    So, I'm trying to find a new solution that can allow me to do what I need to, and summary index came to the idea. However I'm struggling with something. When my data is sent to the summary index, it's sourcetype is changed to stash. And then my data is not parsed as is in the original index. Lets suppose I change the sourcetype from stash to original sourcetype, that then will make me use a lot more license and double it up. So, that's why I'm asking here for help. What solutions do I have? Am I missing something or doing something wrong? Thanks in advance if someone can help me on this. 🙂   ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎11-16-2022 05:20 PM
Karma given to
View All