I have the following from a client:
I was about to make is for a new AD group “Splunk_CAPS_CAS_Payments” so that they are restricted to data that come from the source logging files
//LOG_CAPS_CAS_PaymentEDMS//CAPS//CAS_IN_msg_prod.log and //LOG_CAS_CAPS_InvoiceGL//CAS//CAPS_IN_msg_prod.log
Is this possible?
These users would only be able to pull the logs from the one CAPS_IN_msg_prod.log. How can this be done?
The only reliable way to limit access to data is to put that data in a separate index and restrict access to that index. Let's call that index "caps_cas".
AD group "Splunk_CAPS_CAS_Payments" would have their own Splunk role, I'll call it "CAPS_CAS_Payments". That role would have access only to the caps_cas index.
Sorry, it's for both the log files.//LOG_CAPS_CAS_PaymentEDMS//CAPS//CAS_IN_msg_prod.log and //LOG_CAS_CAPS_InvoiceGL//CAS//CAPS_IN_msg_prod.log