I'm trying to add splunk access to a user.
I have a search which creates lookup with hosts names. It is created based on IP from _internal logs - I have a list of IP ranges.
Now I wanted to created a role, with restrictions to hosts from lookup.
I've tried to create a event type, but I can't use pipes there, to read lookup.
I've also tried to use inputlookup command in role restrictions, but no luck.
Any Idea how to do it? Maybe other way, without lookup?