I created a role to manage data access for users in a certain LDAP group called role-user.
This role has a search filter:
I then created a new user account called, role-user-test, in order to verify that this role works correctly.
I made sure that the search filter had been applied is visible to the user by doing the search specified here.
+----------------+--------+-------------------------------+
| title | roles | search filter |
+----------------+--------+-------------------------------+
| role-user-test |role-user; user | "| search Location=SAX_*" |
+----------------+--------+-------------------------------+
However, when I logged in as that user and tried searches, it doesn't seem to be applying the search filter to the user's query at all!
The results I see in searches, reports and dashboards still contain results that should have been filtered out.
I also tried specifying the search filter different ways, e.g. "Location=SAX_"
Are there other configurations for using search filters that I could be missing?
Thanks.
Can you just try putting in only the search terms ie
Location="SAX_*"
Once you run the search check the job inspector to see what's the final search Splunk executed (normalizedSearch OR remoteSearch)
Can you just try putting in only the search terms ie
Location="SAX_*"
Once you run the search check the job inspector to see what's the final search Splunk executed (normalizedSearch OR remoteSearch)