Getting Data In
Highlighted

How to configure srchFilter for a role to limit the results by indexer?

Explorer

I have a Splunk Enterprise setup, with a handful of main indexers and their own search head clusters, and a bunch of little departmental indexers paired with individual search heads.

One of the departments wants to be able to see things from the main indexers from their departmental search head. I don't want them to be able to see everything on the main indexers (say they have an index named "web" on their department indexer, for example, and there is also an index named "web" on the main indexers), so can I limit roles using srchFilter by search_server?

I know I can limit by host by index, so that they can see (host=*.dept.example.com and index=web) OR (host=dept*.main.example.com and index=web), and combine that with index names, but when the department starts adding more indexes, and there's more name collision, it'll be hard to sustain, and we've got 30-ish depts so far.

0 Karma
Highlighted

Re: How to configure srchFilter for a role to limit the results by indexer?

SplunkTrust
SplunkTrust

You should be able to use the indexer name using splunkserver field into your srchFilter. Please note that specifying splunkserver will return only the events which were indexed in specified indexer (directly) and not the replicated data (in case of clusters).

View solution in original post

Highlighted

Re: How to configure srchFilter for a role to limit the results by indexer?

Explorer

I would think so, but it is not anywhere in the documentation for authorize.conf or what little I can find for srchFilter. I'll try it, thanks!

0 Karma
Highlighted

Re: How to configure srchFilter for a role to limit the results by indexer?

Explorer

Also, which would I use, search-server as used in the /opt/splunk/bin/splunk list search-server command, or splunk_server used in actual searches?

0 Karma
Highlighted

Re: How to configure srchFilter for a role to limit the results by indexer?

SplunkTrust
SplunkTrust

You would use splunk_server field name. (as it's a search filter, you'd go with SPL convention to denote indexers).

0 Karma
Highlighted

Re: How to configure srchFilter for a role to limit the results by indexer?

Explorer

This worked perfectly, exactly what I needed. Thanks.

0 Karma
Highlighted

Re: How to configure srchFilter for a role to limit the results by indexer?

Splunk Employee
Splunk Employee

Hi @brynsmith - Glad to hear that this resolved your issue. Please don't forget to click "Accept" below the answer to resolve this post. Thanks!

0 Karma