Re: What is wrong/issue if saved searches don't us...

SamHTexas · ‎09-12-2021

Is there a security issue or problem if a saved search don't use index name for searching? Should all saved searches use index names for searching? Thank u very much in advance.

PickleRick · ‎09-13-2021

I think you asked similar question already - some two weeks ago or so.

Remember that not every search needs a source index specification. You might do a | rest call. Or | makeresults. Or | ldapsearch. Or ...

SamHTexas · ‎09-13-2021

Thank u for your message. Would you share the full SPL for what you are teaching me please? Also is there a SPL to find what index is assigned to which search? Thank u again

isoutamo · ‎09-13-2021

You can start with this to see what user's has done.

index=_audit source=audittrail sourcetype=audittrail action=search 
| dedup user search
| table _time user search

But remember that you can get information for only indexes which users have added to their SPL. If there are event types, macros or lookups used then you can see only those names and then you must look what those are and hope that those haven't changed after the SPL query has run.

As I said there is no way (or at least I haven't found it) to get real list of used indexes.

r. Ismo

bowesmana · ‎09-12-2021

If you don't use an index statement, then your range of indexes searched will be at the whim of the administrator as to what indexes have been assigned as default indexes to the role the searching user is given.

See https://docs.splunk.com/Documentation/Splunk/8.2.2/Security/Addandeditroles

on searchable indexes.

SamHTexas · ‎09-12-2021

Thank u very much for this. Am not clear yet. Would you elaborate a bit. What problems are caused & what happens to the searches?

bowesmana · ‎09-12-2021

Take for example this search

sourcetype=mysourcetype myfield=abc

If your user role is configured to provide default indexes of 'main', then when you run a search without the index statement, you will ONLY search data from index=main. If your data exists in index=myindex then it will not be found

isoutamo · ‎09-13-2021

Hi

Shortly, i you don't define used index on savedsearches, you cannot know 100% sure which indexes are used (os should use) when user X have done search on time Y. Without index names, used index list has dynamically generated on time Y base on role(s) and access by X. Of course you cannot see used indexes even you have defined those on SPL query from audit logs, but if/when you have version control on place for configuration, you can look it there.

r. Ismo

SamHTexas · ‎09-13-2021

Happy Monday & thank u for your reply. Let's say you don't define index for user searching!! Are there default indexes assigned to each roles in Splunk? Thank u again.

SamHTexas · ‎09-13-2021

Happy Monday & thank u for your reply. Let's say you don't define index for user searching!! Are there default indexes assigned to each roles in Splunk? Thank u again.

isoutamo · ‎09-13-2021

In plain splunk installation there is usually at least main-index as default index for role user. Then this is inherited to other roles by including this role into other roles.

You can check this from Settings -> Role and then select role + 3. Indexes. That shows which index are granted directly or are inherited from other roles.

r. Ismo

What is wrong/issue if saved searches don't use index name for searching? Thank u for your time in advance.

configuration

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!