I am far from being an advanced user of splunk and as a result have a question that I would imagine would be quite simple. What we have used Splunk for up to now, is to dump some of our HP Blade components logs into a syslog server so that we can generate alerts if something happens.
Now, I have other logs that I would like to send into splunk, however I want to separate my HP component logs from these new logs. Is this possible?
I would also like to grant access to a specific group of users to see these new logs....but I don't want them to see anything else (The HP Blade logs).
Thanks!
Put the HP logs and the new logs in their own Splunk Indexes
Then use role based permissions to determine which roles have visibility of those indexes.
For a "newbie" it will be simplest to setup a seperate data input for each source.
However it is also possible to use the same data input and dynamically set the index based on the content or source, host etc... of the incoming data (using props.conf and transforms.conf)
Thanks for the quick response!!
So I have all this now. For the role, I copied the basic user role, however gave it access to search the new index that I created.
Another dumb question...I just want to verify that I need to create a separate data input using a different port for these logs and make sure that it is set to the index that I created...is that correct?
Thanks!!