I have a main centralized splunk index server with logs for 50+ hosts. I have a secondary Splunk instance for a smaller application where it logs its own data. I would like to set the smaller instance up as a search head to the centralized server so it can see a small subset of data on the central server which is isolated to one index.
How do I restrict what the search head sees on the search peer, or can it see everything?
Note - not talking about restricting the search which is topic of another question but the access to ensure they don't see other data at all.
asked 01 Apr '11, 03:04
Currently the search head sees everything. We're considering adding the concept of an "search head user account" on the indexer to allow the indexer administrator to restrict what the search head can do, but this would come in a future release.
answered 01 Apr '11, 14:00
Stephen Sorkin ♦
Is it now possible to restrict distributed searches on the indexers ?
answered 17 May, 06:59