Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it possible to use macros to restrict search terms?

hulahoop
Splunk Employee
Splunk Employee
‎08-30-2010 05:50 PM

I have a long list of hosts/sources/sourcetypes I want to restrict a user to. Can I define a macro, then reference that macro when restricting the user's search terms under Manager » Access controls » Roles » myrole » Restrict search terms ? This is to prevent the long list of search terms from showing up and taking over my search page every time I execute a query.

Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎08-31-2010 12:05 AM

If I hear you correctly, you're looking for a more flexible alternative to giving your roles different search-filters?

Assuming that to be the case, what you might find cleaner is to index the different levels of data into different indexes, and then set the index config such that the users in those roles dont actually have to type in index=foo terms or even know that any of this is happening,

eg:

role X - i want them to only be able to search sourcetype=foo OR sourcetype=bar
role Y - I want them to only be able to search sourcetype=baz
role Z - I want them to search everything.

index A - contains foo and bar
index B contains baz
index C contains everything else:

so configure role X to search only index A by default
configure role Y to search only index B by default.
configure role Z to search index A B and C by default.

It takes a little getting used to, but
a) the performance will be better than search-filters
b) its perhaps a bit easier to manage and set up overlapping groups on the fly.
c) with use cases around the different data sometimes being quite different it may make more sense in different indexes for other reasons. security / retention-policy etc.

View solution in original post

Reply
Solved! Jump to solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎08-31-2010 12:22 AM

No, but you can use eventtypes or list lookups. However, if you use any of these knowledge objects, you should note that a user can override or edit them for their local context, which often defeats the purpose in a search filter.

Reply
Solved! Jump to solution

hulahoop
Splunk Employee
Splunk Employee
‎08-31-2010 12:53 AM

Thank you, Stephen. I appreciate the con analysis here for anyone attempting to rely on knowledge objects.

0 Karma
Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎08-31-2010 12:05 AM

If I hear you correctly, you're looking for a more flexible alternative to giving your roles different search-filters?

Assuming that to be the case, what you might find cleaner is to index the different levels of data into different indexes, and then set the index config such that the users in those roles dont actually have to type in index=foo terms or even know that any of this is happening,

eg:

role X - i want them to only be able to search sourcetype=foo OR sourcetype=bar
role Y - I want them to only be able to search sourcetype=baz
role Z - I want them to search everything.

index A - contains foo and bar
index B contains baz
index C contains everything else:

so configure role X to search only index A by default
configure role Y to search only index B by default.
configure role Z to search index A B and C by default.

It takes a little getting used to, but
a) the performance will be better than search-filters
b) its perhaps a bit easier to manage and set up overlapping groups on the fly.
c) with use cases around the different data sometimes being quite different it may make more sense in different indexes for other reasons. security / retention-policy etc.

Reply
Solved! Jump to solution

hulahoop
Splunk Employee
Splunk Employee
‎09-01-2010 05:21 PM

It would be nice if macros could work, as restructuring roles and indexes is an advanced admin task and can require lots of change and testing for moderate to complex Splunk environments.

0 Karma
Reply
Solved! Jump to solution

hulahoop
Splunk Employee
Splunk Employee
‎08-31-2010 12:52 AM

Thank you, Nick. I recommended this to the customer as well, but you've covered it much clearer detail here.

0 Karma
Reply
Solved! Jump to solution

hulahoop
Splunk Employee
Splunk Employee
‎08-30-2010 05:53 PM

I just tried it--it's not possible in Splunk 4.1.4. 😞

Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...