All Apps and Add-ons

restricting data by host

eladfe
Engager

Hi Experts,

I have 2 ESX servers which I've configured to send the syslog to a splunk version 6 instance. It then forwards the data to another splunk instance. I would like to see the data on the second splunk box, but with 2 diffrent users where each user sees only one server.(i.e user1 will see data for esx 1.1.1.1 and user2 will see data from 2.2.2.2).

I've tried configuring 2 indexes and restrict the users by index but it seem not to show anything when I log in with these users.
Is there an easy/smart way to restrict this/perform this operation?

Thanks in advanced

Tags (1)
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

You can set search restrictions per role, for example to host=1.1.1.1 to force the role to only load events with that host value.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...