topic Re: What is wrong/issue if saved searches don't use index name for searching? Thank u for your time in advance. in Splunk Enterprise

What is wrong/issue if saved searches don't use index name for searching? Thank u for your time in advance.

SamHTexas — Mon, 13 Sep 2021 00:35:04 GMT

Is there a security issue or problem if a saved search don't use index name for searching? Should all saved searches use index names for searching? Thank u very much in advance.

Re: What is wrong/issue if saved searches don't use index name for searching? Thank u for your time in advance.

bowesmana — Mon, 13 Sep 2021 01:37:34 GMT

If you don't use an index statement, then your range of indexes searched will be at the whim of the administrator as to what indexes have been assigned as default indexes to the role the searching user is given.

See https://docs.splunk.com/Documentation/Splunk/8.2.2/Security/Addandeditroles

on searchable indexes.

Re: What is wrong/issue if saved searches don't use index name for searching? Thank u for your time in advance.

SamHTexas — Mon, 13 Sep 2021 03:08:05 GMT

Thank u very much for this. Am not clear yet. Would you elaborate a bit. What problems are caused & what happens to the searches?

Re: What is wrong/issue if saved searches don't use index name for searching? Thank u for your time in advance.

bowesmana — Mon, 13 Sep 2021 05:38:17 GMT

Take for example this search

sourcetype=mysourcetype myfield=abc

If your user role is configured to provide default indexes of 'main', then when you run a search without the index statement, you will ONLY search data from index=main. If your data exists in index=myindex then it will not be found

Re: What is wrong/issue if saved searches don't use index name for searching? Thank u for your time in advance.

PickleRick — Mon, 13 Sep 2021 07:15:26 GMT

I think you asked similar question already - some two weeks ago or so.

Remember that not every search needs a source index specification. You might do a | rest call. Or | makeresults. Or | ldapsearch. Or ...

Re: What is wrong/issue if saved searches don't use index name for searching? Thank u for your time in advance.

isoutamo — Mon, 13 Sep 2021 07:33:01 GMT

Shortly, i you don't define used index on savedsearches, you cannot know 100% sure which indexes are used (os should use) when user X have done search on time Y. Without index names, used index list has dynamically generated on time Y base on role(s) and access by X. Of course you cannot see used indexes even you have defined those on SPL query from audit logs, but if/when you have version control on place for configuration, you can look it there.

r. Ismo

Re: What is wrong/issue if saved searches don't use index name for searching? Thank u for your time in advance.

SamHTexas — Mon, 13 Sep 2021 14:27:14 GMT

Happy Monday & thank u for your reply. Let's say you don't define index for user searching!! Are there default indexes assigned to each roles in Splunk? Thank u again.

Re: What is wrong/issue if saved searches don't use index name for searching? Thank u for your time in advance.

SamHTexas — Mon, 13 Sep 2021 14:59:15 GMT

Thank u for your message. Would you share the full SPL for what you are teaching me please? Also is there a SPL to find what index is assigned to which search? Thank u again

Re: What is wrong/issue if saved searches don't use index name for searching? Thank u for your time in advance.

isoutamo — Mon, 13 Sep 2021 15:01:47 GMT

In plain splunk installation there is usually at least main-index as default index for role user. Then this is inherited to other roles by including this role into other roles.

You can check this from Settings -> Role and then select role + 3. Indexes. That shows which index are granted directly or are inherited from other roles.

r. Ismo

Re: What is wrong/issue if saved searches don't use index name for searching? Thank u for your time in advance.

isoutamo — Mon, 13 Sep 2021 15:13:03 GMT

You can start with this to see what user's has done.

index=_audit source=audittrail sourcetype=audittrail action=search | dedup user search | table _time user search

But remember that you can get information for only indexes which users have added to their SPL. If there are event types, macros or lookups used then you can see only those names and then you must look what those are and hope that those haven't changed after the SPL query has run.

As I said there is no way (or at least I haven't found it) to get real list of used indexes.

r. Ismo

Re: What is wrong/issue if saved searches don't use index name for searching? Thank u for your time in advance.

SamHTexas — Mon, 13 Sep 2021 15:34:43 GMT

Happy Monday & thank u for your reply. Let's say you don't define index for user searching!! Are there default indexes assigned to each roles in Splunk? Thank u again.