Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it possible to use macros to restrict search terms?

hulahoop
Splunk Employee
Splunk Employee
‎08-30-2010 05:50 PM

I have a long list of hosts/sources/sourcetypes I want to restrict a user to. Can I define a macro, then reference that macro when restricting the user's search terms under Manager » Access controls » Roles » myrole » Restrict search terms ? This is to prevent the long list of search terms from showing up and taking over my search page every time I execute a query.

Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎08-31-2010 12:05 AM

If I hear you correctly, you're looking for a more flexible alternative to giving your roles different search-filters?

Assuming that to be the case, what you might find cleaner is to index the different levels of data into different indexes, and then set the index config such that the users in those roles dont actually have to type in index=foo terms or even know that any of this is happening,

eg:

role X - i want them to only be able to search sourcetype=foo OR sourcetype=bar
role Y - I want them to only be able to search sourcetype=baz
role Z - I want them to search everything.

index A - contains foo and bar
index B contains baz
index C contains everything else:

so configure role X to search only index A by default
configure role Y to search only index B by default.
configure role Z to search index A B and C by default.

It takes a little getting used to, but
a) the performance will be better than search-filters
b) its perhaps a bit easier to manage and set up overlapping groups on the fly.
c) with use cases around the different data sometimes being quite different it may make more sense in different indexes for other reasons. security / retention-policy etc.

View solution in original post

Reply
Solved! Jump to solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎08-31-2010 12:22 AM

No, but you can use eventtypes or list lookups. However, if you use any of these knowledge objects, you should note that a user can override or edit them for their local context, which often defeats the purpose in a search filter.

Reply
Solved! Jump to solution

hulahoop
Splunk Employee
Splunk Employee
‎08-31-2010 12:53 AM

Thank you, Stephen. I appreciate the con analysis here for anyone attempting to rely on knowledge objects.

0 Karma
Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎08-31-2010 12:05 AM

If I hear you correctly, you're looking for a more flexible alternative to giving your roles different search-filters?

Assuming that to be the case, what you might find cleaner is to index the different levels of data into different indexes, and then set the index config such that the users in those roles dont actually have to type in index=foo terms or even know that any of this is happening,

eg:

role X - i want them to only be able to search sourcetype=foo OR sourcetype=bar
role Y - I want them to only be able to search sourcetype=baz
role Z - I want them to search everything.

index A - contains foo and bar
index B contains baz
index C contains everything else:

so configure role X to search only index A by default
configure role Y to search only index B by default.
configure role Z to search index A B and C by default.

It takes a little getting used to, but
a) the performance will be better than search-filters
b) its perhaps a bit easier to manage and set up overlapping groups on the fly.
c) with use cases around the different data sometimes being quite different it may make more sense in different indexes for other reasons. security / retention-policy etc.

Reply
Solved! Jump to solution

hulahoop
Splunk Employee
Splunk Employee
‎09-01-2010 05:21 PM

It would be nice if macros could work, as restructuring roles and indexes is an advanced admin task and can require lots of change and testing for moderate to complex Splunk environments.

0 Karma
Reply
Solved! Jump to solution

hulahoop
Splunk Employee
Splunk Employee
‎08-31-2010 12:52 AM

Thank you, Nick. I recommended this to the customer as well, but you've covered it much clearer detail here.

0 Karma
Reply
Solved! Jump to solution

hulahoop
Splunk Employee
Splunk Employee
‎08-30-2010 05:53 PM

I just tried it--it's not possible in Splunk 4.1.4. 😞

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...