topic Re: Role-based search filter syntax in Splunk Search

Role-based search filter syntax

ww9rivers — Wed, 01 Oct 2025 17:29:36 GMT

I created a search filter that looks like this:

(index=web NOT status=404) OR (index!=web)

which works to limit the role to search for events with `status!=404` in the index `web`.

However, Splunk document says this about the search filter syntax:

"When you specify search term filters, use the key::value syntax, rather than key=value, where possible, to restrict search terms to indexed fields."

So I changed that filter to:

(index::web NOT status=404) OR (NOT index::web)

I no longer get any results at all. No error / warning either.

I guess I can use the `key=value` syntax instead. But I am curious why the `key::value` syntax does not work? Also, the document states that the `key::value` syntax provides better performance and security.

We are using Splunk Cloud, currently running version 9.3.2411.116. The document for v9.3 and v9.4 say the same thing.

Re: Role-based search filter syntax

PickleRick — Wed, 01 Oct 2025 18:00:56 GMT

Limiting by search-time defined fields is pointless since any user can easily bypass such filter.

Re: Role-based search filter syntax

livehybrid — Wed, 01 Oct 2025 20:47:16 GMT

@ww9rivers key::value is an index-time field which the user shouldnt be able to manipulate, however key=value is a search-time extraction, therefore they could create a private field extraction eval which would eval status=200 which would allow them to see all data in index=web - this is why the docs specify that you need to use key::value.

If you want to use status::404 then you need to extract this as an index-field. This is possible in Splunk Cloud but the solution depends on if you use a HF before sending to Splunk Cloud, basically wherever your data is parsed you need to create an index time field. For more info check out https://help.splunk.com/en/splunk-enterprise/get-started/get-data-in/9.4/configure-indexed-field-extraction/create-custom-fields-at-index-time

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Re: Role-based search filter syntax

ww9rivers — Wed, 01 Oct 2025 21:22:13 GMT

Thank you for responding.

My problem is not exactly with the "status=404" part.

My problem is that when I use the "index=web" syntax, I get results. But when I change that to "index::web" I get nothing.

Re: Role-based search filter syntax

PickleRick — Wed, 01 Oct 2025 21:51:54 GMT

The :: syntax works only with indexed fields. You can't just replace = with :: for everything and expect it to work. For index you can use normal = because it's a special case.

Re: Role-based search filter syntax

ww9rivers — Thu, 02 Oct 2025 14:02:41 GMT

That may be true.

But the document I linked in the original post clearly states "The SPL search filter field in the 4. Restrictions tab accepts any of the following search terms:" and "index::" is listed under that literally.

Is the documentation wrong, then?

Re: Role-based search filter syntax

PickleRick — Thu, 02 Oct 2025 14:33:52 GMT

OK. This is actually a bit surprising since I expected index to be a relatively border case. But it seems a simple

index::_internal

seems to work in your normal search.

So a search filter based on this condition should also work. Might need to do some testing because that is an interesting case. Can you show the literal working and not working filters?

Re: Role-based search filter syntax

ww9rivers — Sat, 04 Oct 2025 03:50:42 GMT

I think I got it figured out!

My search filter actually works with the :: syntax.

However, I initially had double-quotes around the value for source, which is part of the search. Once I removed the double-quotes, it started working.

So, 👇this does not work:

source::"value"

But this does:

source::value

Thank you all for the discussion!

Re: Role-based search filter syntax

isoutamo — Sun, 05 Oct 2025 13:38:22 GMT

This is really interesting. How it works if there is indexed field which can contains also space? Or did it add as " mark in those indexed fields? Or didn't it work anyhow?

Re: Role-based search filter syntax

PickleRick — Mon, 06 Oct 2025 17:32:47 GMT

I haven't tested but the "field::long value" might work. Then again it might not.

Just like there is currently no syntax for searching for terms with literal asterisks in them.