topic Re: Why is Restrict Search Terms not working in Splunk Search

Why is Restrict Search Terms not working

dflodstrom — Tue, 02 Feb 2016 16:46:29 GMT

I want to restrict a given role's access to the data in Splunk by using 'Restrict search terms' under access controls. First I tried to restrict based on tag...ie. tag=mytag. This didn't work, so I tried to restrict on one host value...ie. host=hostname. This isn't working either.

I am attempting this on a standalone search head in a distributed environment with an indexer cluster. I will apply this to my search head cluster when it is functional. It might also be useful to know that the role I'm modifying does have another role that is inherited which has its own restrict search terms configured. We're using Splunk 6.3.0.

Re: Why is Restrict Search Terms not working

dflodstrom — Thu, 04 Feb 2016 20:32:15 GMT

There must have been a conflict with using 'restrict search terms' on the role I was modifying and the inherited role. I was able to resolve this issue by removing the inherited role. Of course after doing this I needed to apply all of the settings from the inherited role to the role I was modifying.

Re: Why is Restrict Search Terms not working

Kyle_Sandoval — Tue, 05 Nov 2019 15:09:52 GMT

Dflodstrom is correct; there is a conflict with the inherited role, but you don't have to remove the inherited role to resolve the conflict. Rather than clear the restrict search term value, you have to replace it with a value. If you want no restrictions, replace the value with a "*" which will override the parameter's value from the inherited role.

Re: Why is Restrict Search Terms not working

Kyle_Sandoval — Tue, 05 Nov 2019 15:17:37 GMT

Dflodstrom is correct; the issue is the inherited role, but you don't have to remove the inherited role to resolve. You just need to set a value (any value) in the restrict search term parameter value. If it's blank, Splunk takes the inherited value from the role. Simply setting the value to '*' will override the inherited values.

Re: Why is Restrict Search Terms not working

MLGSPLUNK — Wed, 15 Jul 2020 09:11:03 GMT

Hi!

I am running on the same issue as you did but on splunk 8.0.5. No roles are inherited and only search is granted to the user, but the search terms for the restrict search are not working at all and the user can see all the data.

https://community.splunk.com/t5/Splunk-Search/Restrict-search-to-a-role-using-a-search-restriction-is-not/m-p/509197#M142301

Thanks in advance.