When setting up a distributed search peer, is it possible to NOT search the peer unless specified in the search string?
I have two zones (A & B), each with their own search head. The search head in A can search both A and B, whereas the search head in B can search zone B only (this works fine). However, I'd like A to only search A unless I specify "splunk_server=zone_b", that way I don't need to edit previous searches, dashboards, alerts I've written for zone A to include "splunk_server=zone_a".
I didn't see anything in distsearch.conf that looked like it would help, nor anything in the role definitions. Any guidance here? Thanks!
You might be able to use 'srchFilter' in authorize.conf. To set this for all users, use the [default] stanza; use specific role stanza for set it for specific user groups.
you can specify srchFilter = splunk_server=zone_a so by default this search phrase will get appended to all searches executed (by all or by specific role-group).