I am trying to restrict access for a specific access. (Splunk 5.05) In the case below I don't want the power users to have access to indexes security1 or security2. This doesn't seem to work.
Any suggestions?
In Authorize.conf:
[role_power]
list_httpauths = enabled
rtsearch = enabled
rtSrchJobsQuota = 5
schedule_search = enabled
srchDiskQuota = 3000
srchIndexesAllowed = *;_*
srchIndexesDefault = *
srchFilter = index!=security1;security2
srchJobsQuota = 30
This worked:
srchFilter = index!=security1 index!=security2
"srchFilter" is a semi-colon delimited list of search filters for a role. In your case you have two search filters: "index!=security" and "security2". These are search terms that will be added to all searches for this role automatically. I suspect you don't want "security2" as a search filter. Perhaps you're looking for something like this?
srchFilter = index!=security1;index!=security2
Sorry. It didn't work. Users received the message:
"Error in 'search' command: Unable to parse the search: Comparator '!=' has an invalid term on the left hand side."
Thanks. I will give this a try.