Getting Data In

How to configure srchFilter for a role to limit the results by indexer?

brynsmith
Explorer

I have a Splunk Enterprise setup, with a handful of main indexers and their own search head clusters, and a bunch of little departmental indexers paired with individual search heads.

One of the departments wants to be able to see things from the main indexers from their departmental search head. I don't want them to be able to see everything on the main indexers (say they have an index named "web" on their department indexer, for example, and there is also an index named "web" on the main indexers), so can I limit roles using srchFilter by search_server?

I know I can limit by host by index, so that they can see (host=*.dept.example.com and index=web) OR (host=dept*.main.example.com and index=web), and combine that with index names, but when the department starts adding more indexes, and there's more name collision, it'll be hard to sustain, and we've got 30-ish depts so far.

0 Karma
1 Solution

somesoni2
Revered Legend

You should be able to use the indexer name using splunk_server field into your srchFilter. Please note that specifying splunk_server will return only the events which were indexed in specified indexer (directly) and not the replicated data (in case of clusters).

View solution in original post

somesoni2
Revered Legend

You should be able to use the indexer name using splunk_server field into your srchFilter. Please note that specifying splunk_server will return only the events which were indexed in specified indexer (directly) and not the replicated data (in case of clusters).

View solution in original post

brynsmith
Explorer

This worked perfectly, exactly what I needed. Thanks.

0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

Hi @brynsmith - Glad to hear that this resolved your issue. Please don't forget to click "Accept" below the answer to resolve this post. Thanks!

0 Karma

brynsmith
Explorer

Also, which would I use, search-server as used in the /opt/splunk/bin/splunk list search-server command, or splunk_server used in actual searches?

0 Karma

somesoni2
Revered Legend

You would use splunk_server field name. (as it's a search filter, you'd go with SPL convention to denote indexers).

0 Karma

brynsmith
Explorer

I would think so, but it is not anywhere in the documentation for authorize.conf or what little I can find for srchFilter. I'll try it, thanks!

0 Karma