Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why are my role-based search filters are not being applied?

chustar
Path Finder
‎01-12-2016 12:08 PM

I created a role to manage data access for users in a certain LDAP group called role-user.
This role has a search filter:
I then created a new user account called, role-user-test, in order to verify that this role works correctly.
I made sure that the search filter had been applied is visible to the user by doing the search specified here.

+----------------+--------+-------------------------------+ 
| title          | roles        | search filter           |
+----------------+--------+-------------------------------+ 
| role-user-test |role-user; user | "| search Location=SAX_*" |
+----------------+--------+-------------------------------+

However, when I logged in as that user and tried searches, it doesn't seem to be applying the search filter to the user's query at all!
The results I see in searches, reports and dashboards still contain results that should have been filtered out.
I also tried specifying the search filter different ways, e.g. "Location=SAX_"
Are there other configurations for using search filters that I could be missing?

Thanks.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎01-12-2016 06:34 PM

Can you just try putting in only the search terms ie

Location="SAX_*"

Once you run the search check the job inspector to see what's the final search Splunk executed (normalizedSearch OR remoteSearch)

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎01-12-2016 06:34 PM

Can you just try putting in only the search terms ie

Location="SAX_*"

Once you run the search check the job inspector to see what's the final search Splunk executed (normalizedSearch OR remoteSearch)

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...