Can I restrict a user to search on a specific set of peers? e.g there are 3 search peers in our splunk enterprise environment, so how can I restrict a user to search by default on only 2 peers and exclude the third one? I know this sort of restriction can be done on an index (internal vs non-internal).
Can I ask why? That might make your need more clear.
When you say "search" do you mean ad_hoc searches? All searches? Are all the indexes the same on all three?
This might be helpful to you in the meantime: http://answers.splunk.com/answers/215164/how-do-i-restrict-searches-to-specific-search-peer.html#ans...
I read it in the Splunk Search manual for 6.1.4. Below is the exact line copied from the manual:
"The default peers that you can access are controlled by the roles and permissions associated with your profile and set by your Splunk admin. For more information, see "About users and roles" in Securing Splunk".
I know it can be specified in the search like splunk_server=. But the manual says it can be controlled via roles and permissions also. That lead to my curosity.
Suppose there are three roles - Role1,Role2,Role3. The link that you provided explains that all roles can be restricted to a specific search peer.
But is it possible to customize and restrict Role1 to Peer1. Role2 to Peer2 and Role3 to Peer1.
I know it can be done for index like Role1 to Index2 and Role2 to Index3 and Role3 to Index1.
No, the link to the other answer does not mention "roles". You're right. You can assign specific default indexes to roles, you cannot define specific search peers per role.
As I said earlier, from the manual, it seemed this kind of setting could be accomplished. So I thought of exploring more on it. But it seems the search came to a dead end.
Yes! You can. So let's make a role, call it TwoPeer. TwoPeer is created in the web interface and has a special setting called "Search Filter". In this box, place the search that will be appended to all searches that are assigned this role. So "splunkserver=sp1 OR splunkserver=sp2" would restrict to those two indexers. Search Filter of "NOT splunk_server=sp3" would give you almost the same result, but would allow the user to search "sp4" if one ever came on line.
You can also set srchFilter on the authorize.conf file where the roles are defined.
I got it. thats very much doable. thanks for the reply.
please mark the answer as accepted if it has successfully answered your question. Thanks!