Solved: block any search for index=* with workload

bmcaetano · ‎01-22-2024

I'm trying to create an admission rule in workload management with the following syntax:

any search with "=*" in the index will return a predefined message.

my intention is to block any search that contains "=*" in any part of the index, such as: "index=splun*", "index=spl*", "index=_internal*", etc.

I didn't find anything in the documentation that talked about it. Is there any way to create a general rule for this case?

richgalloway · ‎01-22-2024

That use case is not supported by WLM admission rules. Go to https://ideas.splunk.com to make a case for it.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

chrisboy68 · ‎12-03-2024

Reading through the Ideas, there are a few written different ways that will yield the same result. This is the simplest explanation, https://ideas.splunk.com/ideas/PLECID-I-606. If we can use * as a literal, then it will help your problem too. What would be best is to be able to implement a regex statement. At my shop, it would be ok to do index=ABCDE*, but not index=A*.

richgalloway · ‎01-22-2024

That use case is not supported by WLM admission rules. Go to https://ideas.splunk.com to make a case for it.

---
If this reply helps you, Karma would be appreciated.

block any search for index=* with workload

heavy forwarder

Shape the Future of Splunk: Join the Product Research Lab!

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Are you a member of the Splunk Community?

block any search for index=* with workload

heavy forwarder

Shape the Future of Splunk: Join the Product Research Lab!

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions