How to prevent search head from searching peer by ...

eallanjr · ‎08-18-2014

When setting up a distributed search peer, is it possible to NOT search the peer unless specified in the search string?

I have two zones (A & B), each with their own search head. The search head in A can search both A and B, whereas the search head in B can search zone B only (this works fine). However, I'd like A to only search A unless I specify "splunk_server=zone_b", that way I don't need to edit previous searches, dashboards, alerts I've written for zone A to include "splunk_server=zone_a".

I didn't see anything in distsearch.conf that looked like it would help, nor anything in the role definitions. Any guidance here? Thanks!

somesoni2 · ‎08-18-2014

Setting it in the default stanza should enforce that restriction for all users. That might be something you can look into.

eallanjr · ‎08-18-2014

I suppose that could work if I create a user with that restriction and run my searches as that user... not quite the solution I'm hoping for though.

somesoni2 · ‎08-18-2014

You might be able to use 'srchFilter' in authorize.conf. To set this for all users, use the [default] stanza; use specific role stanza for set it for specific user groups.

you can specify srchFilter = splunk_server=zone_a so by default this search phrase will get appended to all searches executed (by all or by specific role-group).

http://docs.splunk.com/Documentation/Splunk/6.0.2/Admin/Authorizeconf

How to prevent search head from searching peer by default?

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio