https://community.splunk.com/t5/Dashboards-Visualizations/working-with-metadata-output/m-p/13636#M227 <P>I have an environment where there are about 2000 hosts. All the hosts are tagged according to the geographic locations and the sourcetype(AD,DNS,DHCP). User are restricted to logs from hosts which belong to their country using roles. I would like each user to see on the default dashboard the hosts which they have access to the last reported date and the tag.</P> <P>I use the following query "| metadata type=hosts | fields + host, firstTime, lastTime,totalCount | convert ctime(firstTime) | convert ctime(lastTime) | sort - host | TAGS "</P> <P>However it displays all the hosts. How can I facilitate the users to see only the hosts that belong to them on the dashboard?</P> Tue, 18 May 2010 00:47:27 GMT sanju005ind 2010-05-18T00:47:27Z https://community.splunk.com/t5/Dashboards-Visualizations/working-with-metadata-output/m-p/13636#M227 <P>I have an environment where there are about 2000 hosts. All the hosts are tagged according to the geographic locations and the sourcetype(AD,DNS,DHCP). User are restricted to logs from hosts which belong to their country using roles. I would like each user to see on the default dashboard the hosts which they have access to the last reported date and the tag.</P> <P>I use the following query "| metadata type=hosts | fields + host, firstTime, lastTime,totalCount | convert ctime(firstTime) | convert ctime(lastTime) | sort - host | TAGS "</P> <P>However it displays all the hosts. How can I facilitate the users to see only the hosts that belong to them on the dashboard?</P> Tue, 18 May 2010 00:47:27 GMT https://community.splunk.com/t5/Dashboards-Visualizations/working-with-metadata-output/m-p/13636#M227 sanju005ind 2010-05-18T00:47:27Z https://community.splunk.com/t5/Dashboards-Visualizations/working-with-metadata-output/m-p/13637#M228 <P>sounds like this could be a bug. what is the restrict filter you are using?</P> Tue, 18 May 2010 07:19:32 GMT https://community.splunk.com/t5/Dashboards-Visualizations/working-with-metadata-output/m-p/13637#M228 Simeon 2010-05-18T07:19:32Z https://community.splunk.com/t5/Dashboards-Visualizations/working-with-metadata-output/m-p/13638#M229 <P>The only way I have been able to filter the events while using | metadata type=host is to add a search host=srv* or use tags (tag=your_tag) to only search on that group of servers. </P> <P>My next question would be if you are wanting to only create 1 dashboard for each team to use? If so this solution will not work and I am not sure if the is way to read the roles and insert that while using | metadata. </P> <P>You could always clone the dashboard for each team and put in the filters associated with that team. Then give them the permissions to see that dashboard and not the other teams dashboard. </P> <P>Travis. </P> Tue, 18 May 2010 19:44:23 GMT https://community.splunk.com/t5/Dashboards-Visualizations/working-with-metadata-output/m-p/13638#M229 thall79 2010-05-18T19:44:23Z https://community.splunk.com/t5/Dashboards-Visualizations/working-with-metadata-output/m-p/13639#M230 <P>i don't see you using the <CODE>|tags</CODE> search command and then filtering based on that. The <CODE>|metadata</CODE> command won't list tags (as you can see if you just run it standalone), so you need to first apply the <CODE>|tags</CODE> command, then filter on, e.g., <CODE>|search tags=blah*</CODE>.</P> Tue, 01 Jun 2010 21:02:33 GMT https://community.splunk.com/t5/Dashboards-Visualizations/working-with-metadata-output/m-p/13639#M230 gkanapathy 2010-06-01T21:02:33Z https://community.splunk.com/t5/Dashboards-Visualizations/working-with-metadata-output/m-p/13640#M231 <P>Yes after looking at the post I did leave out important information, good catch there. Here is what I am using when filtering by tags: | metadata type=hosts | tags host | search NOT tag::host=remove | search host=*</P> Wed, 02 Jun 2010 03:25:56 GMT https://community.splunk.com/t5/Dashboards-Visualizations/working-with-metadata-output/m-p/13640#M231 thall79 2010-06-02T03:25:56Z