I have two types of people that need to access the same data source, but one of them must access anonymized data.
I have created two applications and I tried to force the sourcetype in props.conf and transforms.conf, but Splunk merged both and only one transform is applied.
Props.conf
First App :
[source::.../user/haddadm/share/hls/commun/data/reception/access/env=homo/*/*/*]
TRANSFORMS-sourcetype = source1
Second App :
[source::.../user/haddadm/share/hls/commun/data/reception/access/env=homo/*/*/*]
TRANSFORMS-sourcetype2 = source2
Transforms :
First App :
[source2]
DEST_KEY = MetaData:Sourcetype
REGEX = .*
FORMAT = sourcetype::access2
Second App:
[source2]
DEST_KEY = MetaData:Sourcetype
REGEX = .*
FORMAT = sourcetype::access2
Can someone help me?
One event can have only one source type, think of it as a tag which gets added upon indexing. If you need the clear and the anonymized data, I would copy the data to a second index and anonymize the data during this copy. So you can create a role which has only access to this index, and thus only to the anonymized data.
If it is not that important, you could create an app which does not show the clear data, create a restricted role for this app so it has access to this index, but can not execute any free from search. Then grant only this app to a certain role. But if one user has an additional role which allows access to the search app, then this user is able to search the index and see the clear data, something you probably don't want.