Deployment Architecture

How to prevent search head from searching peer by default?

Explorer

When setting up a distributed search peer, is it possible to NOT search the peer unless specified in the search string?

I have two zones (A & B), each with their own search head. The search head in A can search both A and B, whereas the search head in B can search zone B only (this works fine). However, I'd like A to only search A unless I specify "splunk_server=zone_b", that way I don't need to edit previous searches, dashboards, alerts I've written for zone A to include "splunk_server=zone_a".

I didn't see anything in distsearch.conf that looked like it would help, nor anything in the role definitions. Any guidance here? Thanks!

0 Karma

Revered Legend

Setting it in the default stanza should enforce that restriction for all users. That might be something you can look into.

0 Karma

Explorer

I suppose that could work if I create a user with that restriction and run my searches as that user... not quite the solution I'm hoping for though.

0 Karma

Revered Legend

You might be able to use 'srchFilter' in authorize.conf. To set this for all users, use the [default] stanza; use specific role stanza for set it for specific user groups.

you can specify srchFilter = splunk_server=zone_a so by default this search phrase will get appended to all searches executed (by all or by specific role-group).

http://docs.splunk.com/Documentation/Splunk/6.0.2/Admin/Authorizeconf

Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!