Hi Experts,
I have 2 ESX servers which I've configured to send the syslog to a splunk version 6 instance. It then forwards the data to another splunk instance. I would like to see the data on the second splunk box, but with 2 diffrent users where each user sees only one server.(i.e user1 will see data for esx 1.1.1.1 and user2 will see data from 2.2.2.2).
I've tried configuring 2 indexes and restrict the users by index but it seem not to show anything when I log in with these users.
Is there an easy/smart way to restrict this/perform this operation?
Thanks in advanced
You can set search restrictions per role, for example to host=1.1.1.1
to force the role to only load events with that host value.