Join the Conversation
- Find Answers
- :
- Splunk Products
- :
- Splunk Enterprise Security
- :
- Restrictions filter - Role restrict search
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Restrictions filter - Role restrict search
I created a Role with the following restriction:
1- origen::chile OR ( index::_audit AND user="secchi")
But still can see the data models with any origen. I can filter a data model in search and reporting like this:
2- | datamodel "Authentication" search | search Authentication.origen="chile"
But a don't know how to combine the 1 and 2 into one single restriction to include it into the Role restrict search. Any ideas?
Thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The key here is to only get event data with origen="chile" and datamodel Authentication with values Authentication.origen="chile" when the user "chile" logs in. The place that is the most obvios to do this is at the Role setting Role->Restrictions
From what I see, the SPL you wrote there is no filtering both.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I see, That's true.
Because where needs to be written by you.
I used append to show the two logs and then selfjoin them together.
If There is the row that has Authentication.origen field, it should be kept.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for responding. It does not seem to work. Could you please explain the logic?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you try? What are the query and result? I don't have any information at all, so that's all I can do.
Please look up the meaning of spl.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
append and | eval origen=coalesce(origen,Authentication.origen) | selfjoin origen | where as_you_like
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
