Splunk IT Service Intelligence

ITSI_summary_metrics in roles search restriction




We are developing a query to restrict specific user role to limited services. So we create a query for restriction and we are able to add itsi_summary with serviceid but not sure how to do it for itsi_summary_metrics index. Without metrics index , users are not able see the services assigned to them through teams


Please let me know how write a query for itsi_summary_metrics with serviceid

Labels (3)
0 Karma

Splunk Employee
Splunk Employee

Are you trying to restrict access to the service view, or the underlying data the search returns?  Metrics have no real private info except a host name so not really sure why you are restricting this way.  Use teams instead from within ITSI to assign which services which members can see.

0 Karma

Splunk Employee
Splunk Employee

The itsi_summary_metrics index is a metric format
You probably cannot use the same logic that for an "event format" index.
I do not know if this possible to do a filter that works for metric, or for metric AND events.

The docs are not clear on that, they only give SPL filters examples :


To test : 

  • create a test user and test role
  • add a filter to the role
  • run a search as that user, and open the search inspector, you will see the "extended search" query, and see how the filter was added automatically, see if you can figure it out
Tags (1)
0 Karma
Get Updates on the Splunk Community!

Admin Your Splunk Cloud, Your Way

Join us to maximize different techniques to best tune Splunk Cloud. In this Tech Enablement, you will get ...

Cloud Platform | Discontinuing support for TLS version 1.0 and 1.1

Overview Transport Layer Security (TLS) is a security communications protocol that lets two computers, ...

New Customer Testimonials

Enterprises of all sizes and across different industries are accelerating cloud adoption by migrating ...