Due to security reasons, we need to limit the amount of data a user is exporting out of Splunk by using the Export option in the Splunk Web UI. Is there anyway to do this?
I looked everywhere and did not find a setting to say for example the maximum number of results that can be exported by anyone at a given time is 100 events. In the UI, when you are exporting, the user has the option to limit the number of rows, but I could not see a way to hard code that to 100 for example.
Also, is there a way to search thru the _internal index and find any export attempts? If so is there a way to see what was the search and who ran it? Is there a way to see how many rows were exported?
What you are asking is not yet possible . As you can see on
Settings-->Acess controls-->Roles, you can not limit the number of results a user can export. Once you allow a user to make searches (by giving him a search Role ), you can only set Searches restrictions , like Restrict search terms,Restrict search time, the maximum number of concurrent search jobs range, etc..
Now, to know any searches lauched by any user, here is the query you need:
| rest /services/search/jobs|table author custom.search
I tried to use the rest end point but did not see anything in there that pointed out the Export query and number of records downloaded. Is that returned by the jobs endpoint?
But you can see users custom searches, not the export action. If a user have used the export command in the search query, you will see it in the custom.search column.
Yes I can see the custom search that was run before the download but there is no way to find out if they downloaded the results. I am trying to setup an alert in Splunk so our security officer is notified every time someone downloads results out of Splunk. As part of the alert he would need to know what was the search query and time frame and how many results they downloaded. The only way I found out so far was by searching the _internal index - something like this:
index=internal sourcetype=splunkdui_access "isDownload=true"
We can extract the search query that was performed for the download from results returned from above but I cannot find a way to see how may records was downloaded.