Solved: Re: How can I restrict a user to only search a spe...

vsingla1 · ‎04-07-2015

Can I restrict a user to search on a specific set of peers? e.g there are 3 search peers in our splunk enterprise environment, so how can I restrict a user to search by default on only 2 peers and exclude the third one? I know this sort of restriction can be done on an index (internal vs non-internal).

Thanks,
Vineet

alacercogitatus · ‎04-09-2015

Yes! You can. So let's make a role, call it TwoPeer. TwoPeer is created in the web interface and has a special setting called "Search Filter". In this box, place the search that will be appended to all searches that are assigned this role. So "splunk_server=sp1 OR splunk_server=sp2" would restrict to those two indexers. Search Filter of "NOT splunk_server=sp3" would give you almost the same result, but would allow the user to search "sp4" if one ever came on line.

You can also set srchFilter on the authorize.conf file where the roles are defined.

http://docs.splunk.com/Documentation/Splunk/6.2.2/Admin/Authorizeconf

View solution in original post

alacercogitatus · ‎04-09-2015

Yes! You can. So let's make a role, call it TwoPeer. TwoPeer is created in the web interface and has a special setting called "Search Filter". In this box, place the search that will be appended to all searches that are assigned this role. So "splunk_server=sp1 OR splunk_server=sp2" would restrict to those two indexers. Search Filter of "NOT splunk_server=sp3" would give you almost the same result, but would allow the user to search "sp4" if one ever came on line.

You can also set srchFilter on the authorize.conf file where the roles are defined.

http://docs.splunk.com/Documentation/Splunk/6.2.2/Admin/Authorizeconf

Lucas_K · ‎04-24-2015

It should be noted that there is a bug (well I think its a bug) with using search filters and roles.

It has a weird behavior unlike any other setting in splunk.

If you use any sort of imported role which has search filter, it will NOT be applied IF your current role doesn't explicitly state a search filter option, If you DO include it then it will stack the filters together and not apply the highest level precedence stanza (ie. the normal operation for every single other stanza in splunk).

ie. a broken configuration :

role_user 
 srchFilter = splunk_server=server_1

role_custom_user 
import_role = user

I found this issue when trying to apply a filter to roles all of which inherited admin/power or user roles.
You have to explicitly give every role a filter unfortunately which makes inheritence useless. I had to manually add the filter for 300+ roles 😞

vsingla1 · ‎04-10-2015

Done!!!!!!

vsingla1 · ‎04-10-2015

I got it. thats very much doable. thanks for the reply.

alacercogitatus · ‎04-10-2015

please mark the answer as accepted if it has successfully answered your question. Thanks!

vsingla1 · ‎04-08-2015

I read it in the Splunk Search manual for 6.1.4. Below is the exact line copied from the manual:
"The default peers that you can access are controlled by the roles and permissions associated with your profile and set by your Splunk admin. For more information, see "About users and roles" in Securing Splunk".

I know it can be specified in the search like splunk_server=. But the manual says it can be controlled via roles and permissions also. That lead to my curosity.

Thanks,
Vineet

vsingla1 · ‎04-09-2015

Suppose there are three roles - Role1,Role2,Role3. The link that you provided explains that all roles can be restricted to a specific search peer.
But is it possible to customize and restrict Role1 to Peer1. Role2 to Peer2 and Role3 to Peer1.
I know it can be done for index like Role1 to Index2 and Role2 to Index3 and Role3 to Index1.

rsennett_splunk · ‎04-09-2015

No, the link to the other answer does not mention "roles". You're right. You can assign specific default indexes to roles, you cannot define specific search peers per role.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

vsingla1 · ‎04-09-2015

As I said earlier, from the manual, it seemed this kind of setting could be accomplished. So I thought of exploring more on it. But it seems the search came to a dead end.

rsennett_splunk · ‎04-07-2015

Can I ask why? That might make your need more clear.
When you say "search" do you mean ad_hoc searches? All searches? Are all the indexes the same on all three?

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

rsennett_splunk · ‎04-07-2015

This might be helpful to you in the meantime: http://answers.splunk.com/answers/215164/how-do-i-restrict-searches-to-specific-search-peer.html#ans...

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

How can I restrict a user to only search a specific set of peers in our Splunk Enterprise environment?

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk