I am trying to configure explicit information access based on roles in Splunk Enterprise.
I have configured a number of event types and field extractions. Is it possible to configure access to an event type, but not allow access to 1 field in a multi-field matcher? e.g. below to illustrate what I am trying to achieve:
event type "SomeInfo" search term: "SomeInfo: "
field extractor "InfoExtr" regex: aField: (?P<FieldA>[^,]+), bField: (?P<FieldB>[^,]+), cField: (?P<FieldC>[^,]+)
log example: SomeInfo: aField: foo, bField: bar, cField: 99
I would like to allow a role to access FieldA and FieldB, but not FieldC. Is this possible?
I have the following in the Restrict search Terms: (eventtype="SomeInfo" OR eventtype="Other")
. I have tried adding (NOT FieldC)
(doesn't filter) or (NOT FieldC="*")
(filters entire event).
I would suggest indexing the same data to two indexes. Anonymize (http://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedatausingconfigurationfiles) the data going into one index and give one user/group access to that index. Let the data go into the second index as is and give access to that index to the other user/group.
I would suggest indexing the same data to two indexes. Anonymize (http://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedatausingconfigurationfiles) the data going into one index and give one user/group access to that index. Let the data go into the second index as is and give access to that index to the other user/group.
thanks, that makes sense, nice approach.
doesn't look like it.
assuming this isn't possible?