topic Re: Does splunk user should query data using Index value? in Splunk Search

Does splunk user should query data using Index value?

saifuddin9122 — Thu, 08 Feb 2018 21:12:32 GMT

Hello All,

can users in splunk query data without using the index defined in search query? i mean can user search data using the sourcetype without defining the index in query? if so where should i define this property. As we have number of indexes defined and our users does not have idea of indexes, we don't want to query results using the index.

Thanks

Re: Does splunk user should query data using Index value?

p_gurav — Fri, 09 Feb 2018 05:25:21 GMT

Hi saifuddin9122,

You can create macros for it.

Re: Does splunk user should query data using Index value?

teunlaan — Tue, 29 Sep 2020 18:02:25 GMT

Yes you can (not recommended ) . You need to make all you indexes "searched by default"

Configure it in "Settings > Access Controls > Roles > the_role_your users_belong_too"" option : Indexes searched by default"

Re: Does splunk user should query data using Index value?

klopez30 — Fri, 09 Feb 2018 13:49:35 GMT

I believe that just searching on source/sourcetype is fine, as long as the defaults are set correctly for your environment. I have worked in an environment where the index field was overloaded to search so that you could see similar data, but your defaults controlled what you saw just by searching on the source/sourcetype.

You have to make sure that the roles your splunk user inherits does not have indexes that are selected by default that you do not want to have your splunk user have access to by default.