I have a long list of hosts/sources/sourcetypes I want to restrict a user to. Can I define a macro, then reference that macro when restricting the user's search terms under Manager » Access controls » Roles » myrole » Restrict search terms ? This is to prevent the long list of search terms from showing up and taking over my search page every time I execute a query.
If I hear you correctly, you're looking for a more flexible alternative to giving your roles different search-filters?
Assuming that to be the case, what you might find cleaner is to index the different levels of data into different indexes, and then set the index config such that the users in those roles dont actually have to type in index=foo terms or even know that any of this is happening,
role X - i want them to only be able to search sourcetype=foo OR sourcetype=bar
role Y - I want them to only be able to search sourcetype=baz
role Z - I want them to search everything.
index A - contains foo and bar
index B contains baz
index C contains everything else:
so configure role X to search only index A by default
configure role Y to search only index B by default.
configure role Z to search index A B and C by default.
It takes a little getting used to, but
a) the performance will be better than search-filters
b) its perhaps a bit easier to manage and set up overlapping groups on the fly.
c) with use cases around the different data sometimes being quite different it may make more sense in different indexes for other reasons. security / retention-policy etc.
Thank you, Nick. I recommended this to the customer as well, but you've covered it much clearer detail here.
It would be nice if macros could work, as restructuring roles and indexes is an advanced admin task and can require lots of change and testing for moderate to complex Splunk environments.
No, but you can use eventtypes or list lookups. However, if you use any of these knowledge objects, you should note that a user can override or edit them for their local context, which often defeats the purpose in a search filter.
Thank you, Stephen. I appreciate the con analysis here for anyone attempting to rely on knowledge objects.