Deployment Architecture

Limit which search peers are used by default


We have a global installation of Splunk. About 100 indexers. Each region is broken up by country. I created a macro that defines several variables like [us] definition=splunk_server=allusindexers, [asia] definition=allasiaindexers and so on.

This works great at search time to keep the searches from hitting all of the search peers. But what I need to do now is define a default whether using srchfilter or something else so that normal users, when they search are restricted to only their countries search peers. (I did get this working using srchFilter) BUT, I need for the users to be able to add in asia to either only search the Asia indexers or both the default and Asia indexers. (Would prefer the first option). To have the search string hit all of the indexers, will kill the performance of splunk, and training those users who love to just type in index=* and an ip address, well, you can guess what will happen.

Using srchFilter is an automatic AND so if defined, it does the search with the default splunk_servers AND the additionally splunk_servers which then returns no results. We do have our indexes broken out by region, but if I only want to see results in New Zealand, using just the index name will send the search request to all indexers and all indexers in that region will process the request even though only that one indexer has the data.

Anyone run into this and maybe have found a way around this?


Curious if you use srcFilter to explictly deny the search 'index=*' and start training users they required to either specify the indexes, or use the macros.

0 Karma
Get Updates on the Splunk Community!

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

 Clayton Homes faced the increased challenge of strengthening their security posture as they went through ...

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

We’re happy to announce the release of Mission Control 2.3 which includes several new and exciting features ...

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7

Python 2.7, the last release of Python 2, reached End of Life back on January 1, 2020. As part of our larger ...