https://community.splunk.com/t5/Splunk-Search/Need-Help-Restricting-Results/m-p/44859#M10601 <P>Currently four, but there are likely to be more as we add new customers.</P> Mon, 27 Aug 2012 19:17:38 GMT menkurau 2012-08-27T19:17:38Z https://community.splunk.com/t5/Splunk-Search/Need-Help-Restricting-Results/m-p/44857#M10599 <P>I am trying to provide our data center customers a view of their firewall permits and denies (based on cisco fwsm logs). The requirements I have been given are to restrict what a customer can search for to either events for their source or destination and by period of time the own the IP. Also, this cannot be a separate app. I need to figure out a way to restrict certain events to certain users based on the source and destination IP and time.</P> <P>I have a lookup file that specifies a subnet for CIDR matching and has columns for mapping ownership to a customer by IP. The lookup also has a column to reference a date code for both the source and destination IP so I can exclude results by event time.</P> <P>I have a search that fulfills the requirements, however, I can't figure out a way to restrict results by role. It is a pipeline search, so I can't create an eventtype. My understanding of summary indicies preclude their use. My thinking is the only way to do it is to create an app, but the requirements specify no. </P> <P>Here is an example of one of the searches:</P> <PRE><CODE>owner_src="FAC" OR owner_dst="FAC" type="Built" OR type="Deny" | convert timeformat="%m%d%y" ctime(_time) as c_time | eval owner_valid_src = if(c_time &gt;= date_filter_src, "Yes", "No") | eval owner_valid_dst = if(c_time &gt;= date_filter_dst, "Yes", "No") | search owner_valid_src="yes" OR owner_valid_dst="yes" </CODE></PRE> Mon, 27 Aug 2012 18:02:46 GMT https://community.splunk.com/t5/Splunk-Search/Need-Help-Restricting-Results/m-p/44857#M10599 menkurau 2012-08-27T18:02:46Z https://community.splunk.com/t5/Splunk-Search/Need-Help-Restricting-Results/m-p/44858#M10600 <P>How many roles will this scale to ?</P> Mon, 27 Aug 2012 19:08:33 GMT https://community.splunk.com/t5/Splunk-Search/Need-Help-Restricting-Results/m-p/44858#M10600 jonuwz 2012-08-27T19:08:33Z https://community.splunk.com/t5/Splunk-Search/Need-Help-Restricting-Results/m-p/44859#M10601 <P>Currently four, but there are likely to be more as we add new customers.</P> Mon, 27 Aug 2012 19:17:38 GMT https://community.splunk.com/t5/Splunk-Search/Need-Help-Restricting-Results/m-p/44859#M10601 menkurau 2012-08-27T19:17:38Z https://community.splunk.com/t5/Splunk-Search/Need-Help-Restricting-Results/m-p/44860#M10602 <P>I think you want to convert your lookup to be an <A href="http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Addfieldsfromexternaldatasources#Set_up_a_time-based_fields_lookup">automatic time based lookup</A>, and then use the search filter in the role for each customer on the <CODE>owner_src</CODE> and <CODE>owner_dst</CODE> fields. That way you do not need the convert, evals and 2nd search.</P> Wed, 05 Sep 2012 09:44:08 GMT https://community.splunk.com/t5/Splunk-Search/Need-Help-Restricting-Results/m-p/44860#M10602 dart 2012-09-05T09:44:08Z