Splunk Enterprise

What is wrong/issue if saved searches don't use index name for searching? Thank u for your time in advance.

SamHTexas
Builder

Is there a security issue or problem if a saved search don't use index name for searching? Should all saved searches use index names for searching? Thank u very much in advance.

Labels (1)
Tags (1)
0 Karma

PickleRick
Champion

I think you asked similar question already - some two weeks ago or so.

Remember that not every search needs a source index specification. You might do a | rest call. Or | makeresults. Or | ldapsearch. Or ...

0 Karma

SamHTexas
Builder

Thank u for your message. Would you share the full SPL for what you are teaching me please? Also is there a SPL to find what index is assigned to which search? Thank u again

Tags (1)
0 Karma

isoutamo
SplunkTrust
SplunkTrust

You can start with this to see what user's has done.

index=_audit source=audittrail sourcetype=audittrail action=search 
| dedup user search
| table _time user search

But remember that you can get information for only indexes which users have added to their SPL. If there are event types, macros or lookups used then you can see only those names and then you must look what those are and hope that those haven't changed after the SPL query has run.

As I said there is no way (or at least I haven't found it) to get real list of used indexes.

r. Ismo

bowesmana
SplunkTrust
SplunkTrust

If you don't use an index statement, then your range of indexes searched will be at the whim of the administrator as to what indexes have been assigned as default indexes to the role the searching user is given.

See https://docs.splunk.com/Documentation/Splunk/8.2.2/Security/Addandeditroles

on searchable indexes.

0 Karma

SamHTexas
Builder

Thank u very much for this. Am not clear yet. Would you elaborate a bit. What problems are caused & what happens to the searches?

Tags (1)
0 Karma

bowesmana
SplunkTrust
SplunkTrust

Take for example this search

sourcetype=mysourcetype myfield=abc

If your user role is configured to provide default indexes of 'main', then when you run a search without the index statement, you will ONLY search data from index=main. If your data exists in index=myindex then it will not be found

 

 

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

Shortly, i you don't define used index on savedsearches, you cannot know 100% sure which indexes are used (os should use) when user X have done search on time Y. Without index names, used index list has dynamically generated on time Y base on role(s) and  access by X. Of course you cannot see used indexes even you have defined those on SPL query from audit logs, but if/when you have version control on place for configuration, you can look it there.

r. Ismo

0 Karma

SamHTexas
Builder

Happy Monday & thank u for your reply. Let's say you don't define index for user searching!! Are there default indexes assigned to each roles in Splunk? Thank u again.

Tags (1)
0 Karma

SamHTexas
Builder

Happy Monday & thank u for your reply. Let's say you don't define index for user searching!! Are there default indexes assigned to each roles in Splunk? Thank u again.

Tags (1)
0 Karma

isoutamo
SplunkTrust
SplunkTrust

In plain splunk installation there is usually at least main-index as default index for role user. Then this is inherited to other roles by including this role into other roles.

You can check this from Settings -> Role and then select role + 3. Indexes. That shows which index are granted directly or are inherited from other roles.

r. Ismo

Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!