<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Debugging filter strings used with role-based access in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Debugging-filter-strings-used-with-role-based-access/m-p/63655#M12798</link>
    <description>&lt;P&gt;I'd like to restrict a certain group of users to only see a specific set of hosts within&lt;BR /&gt;
an index. I can set up the filtering strings using the Roles page of the Splunk Manager.&lt;BR /&gt;
Now I need to change that filter string, or perhaps my user has said that they can't&lt;BR /&gt;
see the results they expect.&lt;/P&gt;

&lt;P&gt;How can I triage the filter string tied to a role? Is there some log file somewhere that&lt;BR /&gt;
logs the string that was applied (i.e., that logs the whole search string)? The user's&lt;BR /&gt;
search history doesn't seem to contain the filter strings. Furthermore, if I'm using&lt;BR /&gt;
ActiveDirectory for the user authentication, is there any caching of the role data,&lt;BR /&gt;
specifically the filter strings themselves?&lt;/P&gt;</description>
    <pubDate>Fri, 15 Mar 2013 20:16:48 GMT</pubDate>
    <dc:creator>sowings</dc:creator>
    <dc:date>2013-03-15T20:16:48Z</dc:date>
    <item>
      <title>Debugging filter strings used with role-based access</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Debugging-filter-strings-used-with-role-based-access/m-p/63655#M12798</link>
      <description>&lt;P&gt;I'd like to restrict a certain group of users to only see a specific set of hosts within&lt;BR /&gt;
an index. I can set up the filtering strings using the Roles page of the Splunk Manager.&lt;BR /&gt;
Now I need to change that filter string, or perhaps my user has said that they can't&lt;BR /&gt;
see the results they expect.&lt;/P&gt;

&lt;P&gt;How can I triage the filter string tied to a role? Is there some log file somewhere that&lt;BR /&gt;
logs the string that was applied (i.e., that logs the whole search string)? The user's&lt;BR /&gt;
search history doesn't seem to contain the filter strings. Furthermore, if I'm using&lt;BR /&gt;
ActiveDirectory for the user authentication, is there any caching of the role data,&lt;BR /&gt;
specifically the filter strings themselves?&lt;/P&gt;</description>
      <pubDate>Fri, 15 Mar 2013 20:16:48 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Debugging-filter-strings-used-with-role-based-access/m-p/63655#M12798</guid>
      <dc:creator>sowings</dc:creator>
      <dc:date>2013-03-15T20:16:48Z</dc:date>
    </item>
    <item>
      <title>Re: Debugging filter strings used with role-based access</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Debugging-filter-strings-used-with-role-based-access/m-p/63656#M12799</link>
      <description>&lt;P&gt;I'll give an extra 20 karma to a working answer to this. Double score!&lt;/P&gt;</description>
      <pubDate>Tue, 27 Aug 2013 15:51:03 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Debugging-filter-strings-used-with-role-based-access/m-p/63656#M12799</guid>
      <dc:creator>sowings</dc:creator>
      <dc:date>2013-08-27T15:51:03Z</dc:date>
    </item>
    <item>
      <title>Re: Debugging filter strings used with role-based access</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Debugging-filter-strings-used-with-role-based-access/m-p/63657#M12800</link>
      <description>&lt;P&gt;You can try the steps here: &lt;CODE&gt;&lt;A href="http://docs.splunk.com/Documentation/Splunk/6.0.1/Troubleshooting/Enabledebuglogging" target="test_blank"&gt;http://docs.splunk.com/Documentation/Splunk/6.0.1/Troubleshooting/Enabledebuglogging&lt;/A&gt;&lt;/CODE&gt; to enable DEBUG logging. I think you might find it there. You can set "category.QueryLanguageParser=DEBUG" in &lt;CODE&gt;$SPLUNK_HOME/etc/log.cfg&lt;/CODE&gt; and then check the Job Inspector. It will state which filter string was used. Should narrow down your search a bit.&lt;/P&gt;</description>
      <pubDate>Tue, 07 Jan 2014 17:08:37 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Debugging-filter-strings-used-with-role-based-access/m-p/63657#M12800</guid>
      <dc:creator>alacercogitatus</dc:creator>
      <dc:date>2014-01-07T17:08:37Z</dc:date>
    </item>
    <item>
      <title>Re: Debugging filter strings used with role-based access</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Debugging-filter-strings-used-with-role-based-access/m-p/63658#M12801</link>
      <description>&lt;P&gt;Thanks. I'll give this a try and get back to you with the extra karma.&lt;/P&gt;</description>
      <pubDate>Tue, 07 Jan 2014 18:28:38 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Debugging-filter-strings-used-with-role-based-access/m-p/63658#M12801</guid>
      <dc:creator>sowings</dc:creator>
      <dc:date>2014-01-07T18:28:38Z</dc:date>
    </item>
    <item>
      <title>Re: Debugging filter strings used with role-based access</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Debugging-filter-strings-used-with-role-based-access/m-p/63659#M12802</link>
      <description>&lt;P&gt;How'd it work out?&lt;/P&gt;</description>
      <pubDate>Mon, 13 Jan 2014 15:06:20 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Debugging-filter-strings-used-with-role-based-access/m-p/63659#M12802</guid>
      <dc:creator>alacercogitatus</dc:creator>
      <dc:date>2014-01-13T15:06:20Z</dc:date>
    </item>
    <item>
      <title>Re: Debugging filter strings used with role-based access</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Debugging-filter-strings-used-with-role-based-access/m-p/63660#M12803</link>
      <description>&lt;P&gt;Another option to see list of search filters associated with users/roles is using REST APIs. This could be a starting point. List all the users, their corresponding roles and search filters.&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;| rest /services/authentication/users | table title, roles | mvexpand roles | join roles [| rest /services/authorization/roles | table title, srchFilter | rename title as roles] | stats values(roles) as roles, values(srchFilter) as SearchFilters by title
&lt;/CODE&gt;&lt;/PRE&gt;</description>
      <pubDate>Mon, 13 Jan 2014 16:56:30 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Debugging-filter-strings-used-with-role-based-access/m-p/63660#M12803</guid>
      <dc:creator>somesoni2</dc:creator>
      <dc:date>2014-01-13T16:56:30Z</dc:date>
    </item>
  </channel>
</rss>

