Solved: block any search for index=* with workload

bmcaetano · ‎01-22-2024

I'm trying to create an admission rule in workload management with the following syntax:

any search with "=*" in the index will return a predefined message.

my intention is to block any search that contains "=*" in any part of the index, such as: "index=splun*", "index=spl*", "index=_internal*", etc.

I didn't find anything in the documentation that talked about it. Is there any way to create a general rule for this case?

richgalloway · ‎01-22-2024

That use case is not supported by WLM admission rules. Go to https://ideas.splunk.com to make a case for it.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

chrisboy68

Reading through the Ideas, there are a few written different ways that will yield the same result. This is the simplest explanation, https://ideas.splunk.com/ideas/PLECID-I-606. If we can use * as a literal, then it will help your problem too. What would be best is to be able to implement a regex statement. At my shop, it would be ok to do index=ABCDE*, but not index=A*.

richgalloway · ‎01-22-2024

That use case is not supported by WLM admission rules. Go to https://ideas.splunk.com to make a case for it.

---
If this reply helps you, Karma would be appreciated.

block any search for index=* with workload

heavy forwarder

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)