Hi,
From authorize.conf specific
srchIndexesDefault = <string>
* Semicolon delimited list of indexes to search when no index is specified
* These indexes can be wildcarded, with the exception that '*' does not
match internal indexes
* To match internal indexes, start with '_'. All internal indexes are
represented by '_*'
* Defaults to none, but the UI will automatically populate this with 'main'
in manager
So as per docs, we an use full wildcards. Just wanted to check if we can mix wildcards && specific indexes. So is below possible?
srchIndexesDefault = web_*;*network_*;myspecialindex
Also, is there any chance of blacklist concept in authorize.conf? I really feel it is worth to Splunk to enable this as we can do whitelist & blacklist indexes to roles
You can use combination of both full index name and wild carded index names. I do this myself to give user access specific index (e.g. os, main, windows) and all summary indexes (e.g. summary_*
).
There is no blacklist functionality available in authorize.conf to specify indexes. (and I do agree it would be really helpful to have that). For now, you need to ensure that the whitelist/index list doesn't contain the indexes that you want to blacklist.
You can use combination of both full index name and wild carded index names. I do this myself to give user access specific index (e.g. os, main, windows) and all summary indexes (e.g. summary_*
).
There is no blacklist functionality available in authorize.conf to specify indexes. (and I do agree it would be really helpful to have that). For now, you need to ensure that the whitelist/index list doesn't contain the indexes that you want to blacklist.
Cheers mate. I will try to raise an enhancement request