Archive

How to Restrict search terms for role based on a dynamic parameter?

Engager

We want to restrict certain usergroups possibility to search in Splunk based on a dynamic parameter

For instance
Merchant group A should have this search restriction: index=business-events merchantid=1
Merchant group B should have this search restriction: index=business-events merchantid=2

Could this be done using this search restriction: index=business-events merchantid={currentuser.merchantid}

Could this be done through a database lookup?

Tags (1)

SplunkTrust
SplunkTrust

If you map these groups to Splunk Roles, then yes.

For the index part of the restriction, I would look on the roles page under "Indexes searched by default" and "Indexes" (the difference is subtle but very important). Choose which of the two you'd like to use. Possibly the answer is both. And set for both Role A and B, that they are one way or another restricted to index=business-events.

Then, for the merchantid search restriction, you can just use the "Restrict search terms" field in the role page.

eg for role A, you can set merchantid=1 under "Restrict search terms", and for role B set merchantid=2

http://docs.splunk.com/Documentation/Splunk/5.0.3/Security/Addandeditroles

Splunk Employee
Splunk Employee

At this time I'm fairly certain you can't do it this way. However, you ought to submit a feature request for this.

Champion

You can mention this on Manager » Access controls » Roles » RoleName. Assign the roles to relevant user groups and specify the index. Thanks

0 Karma

SplunkTrust
SplunkTrust

I highly doubt that... as a different thought, move the index restriction to the visible indexes part of the role, much better that way.

0 Karma