Is there a security issue or problem if a saved search don't use index name for searching? Should all saved searches use index names for searching? Thank u very much in advance.
I think you asked similar question already - some two weeks ago or so.
Remember that not every search needs a source index specification. You might do a | rest call. Or | makeresults. Or | ldapsearch. Or ...
Thank u for your message. Would you share the full SPL for what you are teaching me please? Also is there a SPL to find what index is assigned to which search? Thank u again
You can start with this to see what user's has done.
index=_audit source=audittrail sourcetype=audittrail action=search
| dedup user search
| table _time user search
But remember that you can get information for only indexes which users have added to their SPL. If there are event types, macros or lookups used then you can see only those names and then you must look what those are and hope that those haven't changed after the SPL query has run.
As I said there is no way (or at least I haven't found it) to get real list of used indexes.
r. Ismo
If you don't use an index statement, then your range of indexes searched will be at the whim of the administrator as to what indexes have been assigned as default indexes to the role the searching user is given.
See https://docs.splunk.com/Documentation/Splunk/8.2.2/Security/Addandeditroles
on searchable indexes.
Thank u very much for this. Am not clear yet. Would you elaborate a bit. What problems are caused & what happens to the searches?
Take for example this search
sourcetype=mysourcetype myfield=abc
If your user role is configured to provide default indexes of 'main', then when you run a search without the index statement, you will ONLY search data from index=main. If your data exists in index=myindex then it will not be found
Hi
Shortly, i you don't define used index on savedsearches, you cannot know 100% sure which indexes are used (os should use) when user X have done search on time Y. Without index names, used index list has dynamically generated on time Y base on role(s) and access by X. Of course you cannot see used indexes even you have defined those on SPL query from audit logs, but if/when you have version control on place for configuration, you can look it there.
r. Ismo
Happy Monday & thank u for your reply. Let's say you don't define index for user searching!! Are there default indexes assigned to each roles in Splunk? Thank u again.
Happy Monday & thank u for your reply. Let's say you don't define index for user searching!! Are there default indexes assigned to each roles in Splunk? Thank u again.
In plain splunk installation there is usually at least main-index as default index for role user. Then this is inherited to other roles by including this role into other roles.
You can check this from Settings -> Role and then select role + 3. Indexes. That shows which index are granted directly or are inherited from other roles.
r. Ismo