Security

authorize.conf : Wildcard alongside specific Indexes & Option to blacklist?

koshyk
Super Champion

Hi,

From authorize.conf specific

srchIndexesDefault = <string>
* Semicolon delimited list of indexes to search when no index is specified
* These indexes can be wildcarded, with the exception that '*' does not
  match internal indexes
* To match internal indexes, start with '_'. All internal indexes are
  represented by '_*'
* Defaults to none, but the UI will automatically populate this with 'main'
  in manager  

So as per docs, we an use full wildcards. Just wanted to check if we can mix wildcards && specific indexes. So is below possible?

srchIndexesDefault = web_*;*network_*;myspecialindex

Also, is there any chance of blacklist concept in authorize.conf? I really feel it is worth to Splunk to enable this as we can do whitelist & blacklist indexes to roles

0 Karma
1 Solution

somesoni2
Revered Legend

You can use combination of both full index name and wild carded index names. I do this myself to give user access specific index (e.g. os, main, windows) and all summary indexes (e.g. summary_*).

There is no blacklist functionality available in authorize.conf to specify indexes. (and I do agree it would be really helpful to have that). For now, you need to ensure that the whitelist/index list doesn't contain the indexes that you want to blacklist.

View solution in original post

somesoni2
Revered Legend

You can use combination of both full index name and wild carded index names. I do this myself to give user access specific index (e.g. os, main, windows) and all summary indexes (e.g. summary_*).

There is no blacklist functionality available in authorize.conf to specify indexes. (and I do agree it would be really helpful to have that). For now, you need to ensure that the whitelist/index list doesn't contain the indexes that you want to blacklist.

koshyk
Super Champion

Cheers mate. I will try to raise an enhancement request

0 Karma
Get Updates on the Splunk Community!

Customer Experience | Splunk 2024: New Onboarding Resources

In 2023, we were routinely reminded that the digital world is ever-evolving and susceptible to new ...

Celebrate CX Day with Splunk: Take our interactive quiz, join our LinkedIn Live ...

Today and every day, Splunk celebrates the importance of customer experience throughout our product, ...

How to Get Started with Splunk Data Management Pipeline Builders (Edge Processor & ...

If you want to gain full control over your growing data volumes, check out Splunk’s Data Management pipeline ...