Hi Everyone,
My case is:
I have my splunk in this structure:
/data/splunk/hotwarm (all logs, from all hosts, stay in this dir)
/data/splunk/cold
/data/splunk/frozen
How can I block some users to see logs from specific hosts? Or, how can I choose what hosts (all logs from that host) a specific user can see (search logs)?
Thanks,
Splunk's role-based permissions are only granular to the index level, so the only way would be to have the different hosts in different indexes, and limit one set of users (via a role) to the single index while the others (via a different role) see all the indexes.
See http://docs.splunk.com/Documentation/Splunk/5.0.4/Security/Aboutusersandroles