Add ability to define an index to output the results to (and constrain searches to)
I have a possibly unique situation in that my “customers” are given different indexes because like 2 year olds in a sandbox, they don’t play well together. So, for instance anything they contribute to Splunk, goes into their own indexes and instead of searching the main indexes for shared platforms e.g. Firewalls that data is parsed out to summary indexes that only contain traffic with a src or dest of their subnet.
I would like to offer the network toolkit to the various departments but would need to limit their access to only their interactions with it. What would be ideal is having everything a user from deptA does when interacting with the toolkit got to index_deptA. I can see a couple of ways to do this: replicate the app with different names, default index, permissions. Or use forms on the various user apps which limit the searches to their subnets.
Adding index option for outputting search command data to an index