In a Distributed Search environment, how do I restrict what indexes (or sources) the Search head sees on the Search Peer?

I have a main centralized splunk index server with logs for 50+ hosts. I have a secondary Splunk instance for a smaller application where it logs its own data. I would like to set the smaller instance up as a search head to the centralized server so it can see a small subset of data on the central server which is isolated to one index.

How do I restrict what the search head sees on the search peer, or can it see everything?

Note - not talking about restricting the search which is topic of another question but the access to ensure they don't see other data at all.

asked 01 Apr '11, 03:04

warrenpage
25●1●1●3
accept rate: 0%

2 Answers:

oldest newest most voted

Currently the search head sees everything. We're considering adding the concept of an "search head user account" on the indexer to allow the indexer administrator to restrict what the search head can do, but this would come in a future release.

link

answered 01 Apr '11, 14:00

Stephen Sorkin ♦
8.9k●5●10
accept rate: 52%

thanks that answers my question

(04 Apr '11, 10:56) warrenpage

0	Is it now possible to restrict distributed searches on the indexers ? link answered 17 May, 06:59 splunk_bit 1●1 accept rate: 0%

Post your answer

toggle preview

Follow this question

Email:

RSS:

Answers

Answers + Comments

Markdown Basics

*italic* or _italic_
**bold** or __bold__
link:[text](http://url.com/ "Title")
image?![alt text](/path/img.jpg "Title")
numbered list: 1. Foo 2. Bar
to add a line break simply add two spaces to where you would like the new line to be.
basic HTML tags are also supported

learn more about Markdown

Tags:

search ×1,651

Asked: 01 Apr '11, 03:04

Seen: 720 times

Last updated: 17 May, 06:59

In a Distributed Search environment, how do I restrict what indexes (or sources) the Search head sees on the Search Peer?

Follow this question

Splunk Resources

Related questions