topic Re: How to restrict searches that use wildcards in the index (ex: index=* index=test* index=*test)? in Splunk Search

How to restrict searches that use wildcards in the index (ex: index=* index=test* index=*test)?

lassel — Mon, 27 Apr 2015 07:35:10 GMT

For audit and performance reasons, I want to educate (force) my users to always explicitly provide the index(es) that they want to search.
First I have made sure that no default indexes are searched.

Secondly I would like to limit the searches. Can I limit searches that use wildcard in index?
E.g. index=* index=test* index=*test

I am aware that "Access Controls > Roles" has a "Restrict search terms" field, but I can't find any documentation or examples on what I want to do.

Re: How to restrict searches that use wildcards in the index (ex: index=* index=test* index=*test)?

stephane_cyrill — Mon, 27 Apr 2015 07:52:17 GMT

Hi, it is simple,just create a role for these users and make a restriction on these search terms (index =........).

to do it in splunk web:

setting > access control > roles >add new
under search restrictions, put what you want to be restricted (index= index=test OR index=*test)

Do not forget to specify to whom the role should be apply.

Re: How to restrict searches that use wildcards in the index (ex: index=* index=test* index=*test)?

lassel — Mon, 27 Apr 2015 07:58:11 GMT

Thank you for your answer.

Can I use regular expressions in search restrictions?

Also will your restriction limit a user that searches on "index=foo OR index=bar*"?

Re: How to restrict searches that use wildcards in the index (ex: index=* index=test* index=*test)?

lassel — Mon, 27 Apr 2015 08:03:59 GMT

I want to limit queries that match:
index=[^*]+

Re: How to restrict searches that use wildcards in the index (ex: index=* index=test* index=*test)?

lassel — Mon, 27 Apr 2015 08:12:14 GMT

Doing that gives me an error on every search like this:
Error in 'SearchParser': Missing a search command before '^'. Error at position '46' of search query 'litsearch ( index=splunktest abc ) ( ( index=[^*]+'.

Re: How to restrict searches that use wildcards in the index (ex: index=* index=test* index=*test)?

stephane_cyrill — Mon, 27 Apr 2015 08:56:45 GMT

I'm not sure we can use regex, the error you have ,was is not the goal( to hinder a user to do such a search?)

If the usage of wildcard * is more global than wath you want, try to list precise search terms.Read the note under the text box of SEARCH TERMS RESTRICTION.

Re: How to restrict searches that use wildcards in the index (ex: index=* index=test* index=*test)?

lassel — Mon, 27 Apr 2015 09:06:34 GMT

From the administration page:

Search restrictions
Restrict the scope of searches run by this role. Search results for this role will only show events that also match this search string.

Can include source, host, index (can be set below), eventtype, sourcetype, search fields, , and OR and AND. Example: "`host=web OR source=/var/log/*`"

It seems like it is impossible to limit user queries that way I want to. Naming the precise search terms is very hard and impossible to administrate when I add new indexes. Besides. Given enough valid queries, the user can still run the wildcard queries, that I wish to limit.

Is there any other way to limit queries?

Re: How to restrict searches that use wildcards in the index (ex: index=* index=test* index=*test)?

lassel — Fri, 01 May 2015 08:02:00 GMT

Can somebody confirm if what I want is impossible?

I conclude that it is impossible using "Restrict search terms", but is there another way?

Re: How to restrict searches that use wildcards in the index (ex: index=* index=test* index=*test)?

lassel — Tue, 12 May 2015 07:07:48 GMT

Got this answer from Splunk support:

With regards to your index=* question, the answer is currently "no"

With our current set of roles and capabilities, we do not have a method by which to restrict the use of wild-cards in search strings.

Currently, the best practice here is to define roles that restrict access to only the necessary indexes and educate your users on Search & Reporting best practices so that they build efficient search queries.