Right now my app sends logs to a raw tcp input. Seems like this is effectively saying that anyone can add data to that input, but whoever configured it ultimately controls where the data is stored (which index(s)).
Can I instead define a role whose only ability is to post data to a specific index?
I was looking through the role capabilities and nothing jumped out at me, but I am new and may just be missing something.
http://docs.splunk.com/Documentation/Splunk/latest/Security/Rolesandcapabilities