Splunk Enterprise Security

Is there a supported and easy way to exclude Splunk's internal logs from the access_center in Splunk ES?

daniel333
Builder

All,

Is there a supported and easy way to exclude Splunk's internal logs from the access_center in Splunk ES? possible to just block reading the hidden indexes?

0 Karma

jneighbors_splu
Splunk Employee
Splunk Employee

You can just modify the searches for the dashboards to not include the _internal index. This can be done in the dashboard panels themselves or in the xml.

I believe the following doc should have the info you would need fot this.

http://docs.splunk.com/Documentation/Splunk/7.0.3/Viz/DashboardEditor

0 Karma

deepashri_123
Motivator

Hey daniel333,

Is there any particular reason to this?
You can disable internal indexes for specific roles.
You can refer this doc:
https://docs.splunk.com/Documentation/Splunk/7.0.3/Security/Aboutusersandroles

Let me know if this helps!!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...