We are running Splunk Enterprise 6.6.0 with Splunk Enterprise Security distributed within several datacenters. We are making preparations for ingesting events from Windows servers and I am needing recommendations for the best way to implement this. How do we allow individual business units to only access data related to their environment when they log in to the system? I understand Splunk bases its permissions on indexes, however does this get complicated due to the fact that Enterprise Security has already created three Windows-associated indexes for itself (perfmon, windows, wineventlog)? I would simply make new indexes for each business unit, however we need Enterprise Security to parse the data as well.
Would tagging accomplish this goal? If we tag logs from systems within the sales department with the "salesBU" tag, we could use "tag=salesBU" during searches. Would there be a performance issue if we do it this way?
Thank you for your help.
... View more