topic Re: pipe in srchFilter in Getting Data In

pipe in srchFilter

nvtssplunk — Tue, 08 Feb 2011 00:30:40 GMT

I would like to apply a dedup to all searches performed by users in a certain role. Is there a way to do this with the srchFilter option? I have tried setting this to "| dedup _raw" but it seems this creates unbalanced parentheses in my query.

Just a little background: I have indexers across 2 sites with data being replicated by forwarders for redundancy for one index. I'm trying to avoid duplicate results in that index when distributing the search across all indexers.

Re: pipe in srchFilter

Stephen_Sorkin — Tue, 08 Feb 2011 00:51:42 GMT

Search filters can only contain argument to the "search" command: ANDs/ORs/NOTs of keywords and fields.

Re: pipe in srchFilter

nvtssplunk — Tue, 08 Feb 2011 23:02:25 GMT

Ok, so that's the anti-solution. Is there another way to accomplish this?

Re: pipe in srchFilter

RicoSuave — Fri, 02 Oct 2015 16:21:07 GMT

This is actually technically possible but NOT SUPPORTED BY SPLUNK! reference this question and please upgoat.

http://answers.splunk.com/answers/314192/use-srchfilter-to-anonymize-data-based-on-role.html#answer-314196