When setting up a distributed search peer, is it possible to NOT search the peer unless specified in the search string?
I have two zones (A & B), each with their own search head. The search head in A can search both A and B, whereas the search head in B can search zone B only (this works fine). However, I'd like A to only search A unless I specify "splunk_server=zone_b", that way I don't need to edit previous searches, dashboards, alerts I've written for zone A to include "splunk_server=zone_a".
I didn't see anything in distsearch.conf that looked like it would help, nor anything in the role definitions. Any guidance here? Thanks!
Setting it in the default stanza should enforce that restriction for all users. That might be something you can look into.
I suppose that could work if I create a user with that restriction and run my searches as that user... not quite the solution I'm hoping for though.
You might be able to use 'srchFilter' in authorize.conf. To set this for all users, use the [default] stanza; use specific role stanza for set it for specific user groups.
you can specify srchFilter = splunk_server=zone_a so by default this search phrase will get appended to all searches executed (by all or by specific role-group).
http://docs.splunk.com/Documentation/Splunk/6.0.2/Admin/Authorizeconf