Security

Best option to filter data by user in data model accelerate

DaniloMejia
Explorer

Hello!! I have a question about how to do something.

Within an index I have a field called entity, this corresponds to companies to which we manage their products.

In total we have 130 different entities, and each entity has 5 different users, and the entity only sees its information in the reports, it cannot see the information of other entities.

The information of all the entities is stored in a single index, doing 130 indexes to assign permissions seemed a little long task, and the provider in charge recommended for this, use loockups.

We have a loockup that says the name of the user and the name of the entity, and with a token in the dashboards we filter the information. With this everyone sees what they need to see. We add the user field that comes from the loockup in the datamodel

The problem we have is that when we enter a new user in the loockup, if the data model is accelerated, it never updates the information for this new user, if we do not accelerate the datamodel, the information is updated immediately.

We tried to disable the acceleration and put it back, but it still didn't work for us, it kept bringing the same information before we made the change in the loockup.

Another approach we did was to do an automatic loockup on the index, but the same thing happens, if it is not accelerated, it updates the information immediately, but if it is, it stays the same.

And if we build the datamodel again, creating it with another name, but with the same root event and the same fields, if it brings the updated information.

 

What other suggestions would you have to do something like this? Or that they see that I am doing wrong so that the process does not work as I think it should work? I leave three additional images, one of the loockup, and another of the accelerated datamodel and without acceleration, so that you can see the differences.

Thanks a lot!!

LookupLookupWith accelerationWith accelerationWithout accelerationWithout acceleration

Labels (3)
0 Karma
1 Solution

scelikok
SplunkTrust
SplunkTrust

Hi @DaniloMejia,

In order to be able to make changes in the lookup, you shouldn't put it inside root search, instead you should  use lookup command on dashboard, report etc. As a sample;

|tstast count from datamodel=Datamodel_Name by codigo_entidad | lookup permisos_entidades codigo_entidad OUTPUTNEW usuario

 

If this reply helps you an upvote is appreciated.

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

scelikok
SplunkTrust
SplunkTrust

Hi @DaniloMejia,

In order to be able to make changes in the lookup, you shouldn't put it inside root search, instead you should  use lookup command on dashboard, report etc. As a sample;

|tstast count from datamodel=Datamodel_Name by codigo_entidad | lookup permisos_entidades codigo_entidad OUTPUTNEW usuario

 

If this reply helps you an upvote is appreciated.

If this reply helps you an upvote and "Accept as Solution" is appreciated.

DaniloMejia
Explorer

This is working!! Thank you very much!!

0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @DaniloMejia,

Datamodel acceleration creates a separate summary index data using the values on acceleration. Lookup values are being recorded also in this summary. That is why further changes on your lookups will not be updated. When you disable acceleration, summary will not be used, your searches will use actual data and lookup values.

The safest way would be removing lookup commands from datamodel fields and adding lookup command to the end of your search.

 

If this reply helps you an upvote is appreciated.

If this reply helps you an upvote and "Accept as Solution" is appreciated.

DaniloMejia
Explorer

I am trying this in search root:

index="idx_informes_transacciones" sourcetype="st_trx_exitosas_noexitosas" source="trx_exitosas_noexitosas" codigo_entidad="00000105" | lookup permisos_entidades codigo_entidad OUTPUTNEW usuario

but when I accelerate the data model it is stuck in building, I imagine it is because of the lookup command, because it is a nonstreaming command.

And what I'm looking for is to be able to speed up the data model and be able to make changes in the lookup

Thank you for the help!!

 

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...