Security
Highlighted

How can I restrict a user to only search a specific set of peers in our Splunk Enterprise environment?

Communicator

Can I restrict a user to search on a specific set of peers? e.g there are 3 search peers in our splunk enterprise environment, so how can I restrict a user to search by default on only 2 peers and exclude the third one? I know this sort of restriction can be done on an index (internal vs non-internal).

Thanks,
Vineet

Highlighted

Re: How can I restrict a user to only search a specific set of peers in our Splunk Enterprise environment?

Splunk Employee
Splunk Employee

Can I ask why? That might make your need more clear.
When you say "search" do you mean ad_hoc searches? All searches? Are all the indexes the same on all three?

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
Highlighted

Re: How can I restrict a user to only search a specific set of peers in our Splunk Enterprise environment?

Splunk Employee
Splunk Employee

This might be helpful to you in the meantime: http://answers.splunk.com/answers/215164/how-do-i-restrict-searches-to-specific-search-peer.html#ans...

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma
Highlighted

Re: How can I restrict a user to only search a specific set of peers in our Splunk Enterprise environment?

Communicator

I read it in the Splunk Search manual for 6.1.4. Below is the exact line copied from the manual:
"The default peers that you can access are controlled by the roles and permissions associated with your profile and set by your Splunk admin. For more information, see "About users and roles" in Securing Splunk".

I know it can be specified in the search like splunk_server=. But the manual says it can be controlled via roles and permissions also. That lead to my curosity.

Thanks,
Vineet

0 Karma
Highlighted

Re: How can I restrict a user to only search a specific set of peers in our Splunk Enterprise environment?

Communicator

Suppose there are three roles - Role1,Role2,Role3. The link that you provided explains that all roles can be restricted to a specific search peer.
But is it possible to customize and restrict Role1 to Peer1. Role2 to Peer2 and Role3 to Peer1.
I know it can be done for index like Role1 to Index2 and Role2 to Index3 and Role3 to Index1.

0 Karma
Highlighted

Re: How can I restrict a user to only search a specific set of peers in our Splunk Enterprise environment?

Splunk Employee
Splunk Employee

No, the link to the other answer does not mention "roles". You're right. You can assign specific default indexes to roles, you cannot define specific search peers per role.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
Highlighted

Re: How can I restrict a user to only search a specific set of peers in our Splunk Enterprise environment?

Communicator

As I said earlier, from the manual, it seemed this kind of setting could be accomplished. So I thought of exploring more on it. But it seems the search came to a dead end.

0 Karma
Highlighted

Re: How can I restrict a user to only search a specific set of peers in our Splunk Enterprise environment?

SplunkTrust
SplunkTrust

Yes! You can. So let's make a role, call it TwoPeer. TwoPeer is created in the web interface and has a special setting called "Search Filter". In this box, place the search that will be appended to all searches that are assigned this role. So "splunkserver=sp1 OR splunkserver=sp2" would restrict to those two indexers. Search Filter of "NOT splunk_server=sp3" would give you almost the same result, but would allow the user to search "sp4" if one ever came on line.

You can also set srchFilter on the authorize.conf file where the roles are defined.

http://docs.splunk.com/Documentation/Splunk/6.2.2/Admin/Authorizeconf

View solution in original post

Highlighted

Re: How can I restrict a user to only search a specific set of peers in our Splunk Enterprise environment?

Communicator

I got it. thats very much doable. thanks for the reply.

0 Karma
Highlighted

Re: How can I restrict a user to only search a specific set of peers in our Splunk Enterprise environment?

SplunkTrust
SplunkTrust

please mark the answer as accepted if it has successfully answered your question. Thanks!

0 Karma