I have a Splunk Enterprise setup, with a handful of main indexers and their own search head clusters, and a bunch of little departmental indexers paired with individual search heads.
One of the departments wants to be able to see things from the main indexers from their departmental search head. I don't want them to be able to see everything on the main indexers (say they have an index named "web" on their department indexer, for example, and there is also an index named "web" on the main indexers), so can I limit roles using srchFilter by search_server?
I know I can limit by host by index, so that they can see (host=*.dept.example.com and index=web) OR (host=dept*.main.example.com and index=web)
, and combine that with index names, but when the department starts adding more indexes, and there's more name collision, it'll be hard to sustain, and we've got 30-ish depts so far.
You should be able to use the indexer name using splunk_server field into your srchFilter. Please note that specifying splunk_server will return only the events which were indexed in specified indexer (directly) and not the replicated data (in case of clusters).
You should be able to use the indexer name using splunk_server field into your srchFilter. Please note that specifying splunk_server will return only the events which were indexed in specified indexer (directly) and not the replicated data (in case of clusters).
This worked perfectly, exactly what I needed. Thanks.
Hi @brynsmith - Glad to hear that this resolved your issue. Please don't forget to click "Accept" below the answer to resolve this post. Thanks!
Also, which would I use, search-server as used in the /opt/splunk/bin/splunk list search-server command, or splunk_server used in actual searches?
You would use splunk_server field name. (as it's a search filter, you'd go with SPL convention to denote indexers).
I would think so, but it is not anywhere in the documentation for authorize.conf or what little I can find for srchFilter. I'll try it, thanks!