topic Re: How can I restrict a user to only search a specific set of peers in our Splunk Enterprise environment? in Security

How can I restrict a user to only search a specific set of peers in our Splunk Enterprise environment?

vsingla1 — Tue, 07 Apr 2015 15:02:57 GMT

Can I restrict a user to search on a specific set of peers? e.g there are 3 search peers in our splunk enterprise environment, so how can I restrict a user to search by default on only 2 peers and exclude the third one? I know this sort of restriction can be done on an index (internal vs non-internal).

Thanks,
Vineet

Re: How can I restrict a user to only search a specific set of peers in our Splunk Enterprise environment?

rsennett_splunk — Wed, 08 Apr 2015 02:43:19 GMT

Can I ask why? That might make your need more clear.
When you say "search" do you mean ad_hoc searches? All searches? Are all the indexes the same on all three?

Re: How can I restrict a user to only search a specific set of peers in our Splunk Enterprise environment?

rsennett_splunk — Wed, 08 Apr 2015 03:02:28 GMT

This might be helpful to you in the meantime: http://answers.splunk.com/answers/215164/how-do-i-restrict-searches-to-specific-search-peer.html#answer-227115

Re: How can I restrict a user to only search a specific set of peers in our Splunk Enterprise environment?

vsingla1 — Wed, 08 Apr 2015 13:31:50 GMT

I read it in the Splunk Search manual for 6.1.4. Below is the exact line copied from the manual:
"The default peers that you can access are controlled by the roles and permissions associated with your profile and set by your Splunk admin. For more information, see "About users and roles" in Securing Splunk".

I know it can be specified in the search like splunk_server=. But the manual says it can be controlled via roles and permissions also. That lead to my curosity.

Thanks,
Vineet

Re: How can I restrict a user to only search a specific set of peers in our Splunk Enterprise environment?

vsingla1 — Thu, 09 Apr 2015 16:50:51 GMT

Suppose there are three roles - Role1,Role2,Role3. The link that you provided explains that all roles can be restricted to a specific search peer.
But is it possible to customize and restrict Role1 to Peer1. Role2 to Peer2 and Role3 to Peer1.
I know it can be done for index like Role1 to Index2 and Role2 to Index3 and Role3 to Index1.

Re: How can I restrict a user to only search a specific set of peers in our Splunk Enterprise environment?

rsennett_splunk — Thu, 09 Apr 2015 16:56:40 GMT

No, the link to the other answer does not mention "roles". You're right. You can assign specific default indexes to roles, you cannot define specific search peers per role.

Re: How can I restrict a user to only search a specific set of peers in our Splunk Enterprise environment?

vsingla1 — Thu, 09 Apr 2015 17:17:48 GMT

As I said earlier, from the manual, it seemed this kind of setting could be accomplished. So I thought of exploring more on it. But it seems the search came to a dead end.

Re: How can I restrict a user to only search a specific set of peers in our Splunk Enterprise environment?

alacercogitatus — Mon, 28 Sep 2020 19:30:07 GMT

Yes! You can. So let's make a role, call it TwoPeer. TwoPeer is created in the web interface and has a special setting called "Search Filter". In this box, place the search that will be appended to all searches that are assigned this role. So "splunk_server=sp1 OR splunk_server=sp2" would restrict to those two indexers. Search Filter of "NOT splunk_server=sp3" would give you almost the same result, but would allow the user to search "sp4" if one ever came on line.

You can also set srchFilter on the authorize.conf file where the roles are defined.

http://docs.splunk.com/Documentation/Splunk/6.2.2/Admin/Authorizeconf

Re: How can I restrict a user to only search a specific set of peers in our Splunk Enterprise environment?

vsingla1 — Fri, 10 Apr 2015 16:14:25 GMT

I got it. thats very much doable. thanks for the reply.

Re: How can I restrict a user to only search a specific set of peers in our Splunk Enterprise environment?

alacercogitatus — Fri, 10 Apr 2015 16:15:58 GMT

please mark the answer as accepted if it has successfully answered your question. Thanks!

Re: How can I restrict a user to only search a specific set of peers in our Splunk Enterprise environment?

vsingla1 — Fri, 10 Apr 2015 16:20:48 GMT

Done!!!!!!

Re: How can I restrict a user to only search a specific set of peers in our Splunk Enterprise environment?

Lucas_K — Fri, 24 Apr 2015 10:45:57 GMT

It should be noted that there is a bug (well I think its a bug) with using search filters and roles.

It has a weird behavior unlike any other setting in splunk.

If you use any sort of imported role which has search filter, it will NOT be applied IF your current role doesn't explicitly state a search filter option, If you DO include it then it will stack the filters together and not apply the highest level precedence stanza (ie. the normal operation for every single other stanza in splunk).

ie. a broken configuration :

role_user 
 srchFilter = splunk_server=server_1

role_custom_user 
import_role = user

I found this issue when trying to apply a filter to roles all of which inherited admin/power or user roles.
You have to explicitly give every role a filter unfortunately which makes inheritence useless. I had to manually add the filter for 300+ roles 😞