I have a Splunk Enterprise setup, with a handful of main indexers and their own search head clusters, and a bunch of little departmental indexers paired with individual search heads.
One of the departments wants to be able to see things from the main indexers from their departmental search head. I don't want them to be able to see everything on the main indexers (say they have an index named "web" on their department indexer, for example, and there is also an index named "web" on the main indexers), so can I limit roles using srchFilter by search_server?
I know I can limit by host by index, so that they can see `(host=*.dept.example.com and index=web) OR (host=dept*.main.example.com and index=web)`, and combine that with index names, but when the department starts adding more indexes, and there's more name collision, it'll be hard to sustain, and we've got 30-ish depts so far.
↧