Splunk Search

App: limit searches done through a SearchBar

MikhailArefiev
Explorer

Is it possible to limit searches done through a SearchBar by automatically prepending them with something like source="this" selector_field="that" so that users will only have access to pre-filtered logs, but will not be limited to what they can do with them (intentions, adding terms, calculating stats etc)? Even better if this string can be hidden.

Proper protection is not needed as we want to implement it for convenience, not for security (i. e. we do not care about append [search source="secret"]).

Tags (2)
1 Solution

BobM
Builder

Yes this is possible and is one of the things covered in the Developing Apps with Splunk class. You will need to clone a new copy of the search page for your app and edit the advanced XML. To make it flexible, I would create an eventtype called search_prefix that contains your filter.

Find the "TimeRangePicker" module and under it's parameters, add the "HiddenIntention" module as shown.

<module name="TimeRangePicker">
<param name="selected">Last 24 hours</param>
<param name="searchWhenChanged">True</param>
<module name="HiddenIntention">
<param name="intention">
<param name="name">addterm</param>
<param name="arg">
<param name="eventtype">search_prefix</param>
</param>
</param>

Then at the bottom of the view, add a closing </module> tag before the closing </view> tag.

If you haven't used advanced XML, I would seriously recommend taking the class or if you have more time, reading "About advanced XML"

View solution in original post

sideview
SplunkTrust
SplunkTrust

Another way is to clone the flashtimeline view, place it in your app, and then modify it using Sideview Utils so as to literally prepend search language without intentions.

Then in that flashtimeline.xml file, find this:

<module name="SearchBar" layoutPanel="splSearchControls-inline">
  <param name="useAssistant">true</param>
  <param name="useTypeahead">true</param>
  <param name="useOwnSubmitButton">False</param>
  <param name="useAutoFocus">True</param>

and replace it with this.

<module name="SearchBar" layoutPanel="splSearchControls-inline">
  <param name="useAssistant">true</param>
  <param name="useTypeahead">true</param>
  <param name="useOwnSubmitButton">False</param>
  <param name="useAutoFocus">True</param>
  <module name="Search">
    <param name="search">sourcetype=access_combined $searchBar$</param>

Also you'll need to add the SideviewUtils module to the top of the view, like so. FInd this at the top:

<module name="AppBar" layoutPanel="navigationHeader" />

and replace it with this:

<module name="AppBar" layoutPanel="navigationHeader" />
<module name="SideviewUtils" layoutPanel="navigationHeader" />

This is a more flexible approach because a) you're literally able to prefix or suffix the search rather than being at the whim of the sometimes unpredictable addterm intention. b) you can do more like have the user's search string plug into a subsearch, or into a more complex search expression. Note that the $searchBar$ token is only there because of Sideview Utils. In addition to providing a ton of new modules to replace lots of the Splunk modules, the Sideview app patches several core Splunk modules including SearchBar, TimeRangePicker, FlashChart, JSChart, to improve behavior and configurability like this.

For more information there's a huge wealth of documentation in the Sideview Utils app itself. You can get the latest version (2.4.4) for free from the Sideview website at http://sideviewapps.com/apps/sideview-utils/

and if you have it already but it's older than that, upgrade!! There's always a ton of improvements going into the app so if you're not on the latest version you're missing out on performance improvements, bugfixes, better documentation and new features.

BobM
Builder

Yes this is possible and is one of the things covered in the Developing Apps with Splunk class. You will need to clone a new copy of the search page for your app and edit the advanced XML. To make it flexible, I would create an eventtype called search_prefix that contains your filter.

Find the "TimeRangePicker" module and under it's parameters, add the "HiddenIntention" module as shown.

<module name="TimeRangePicker">
<param name="selected">Last 24 hours</param>
<param name="searchWhenChanged">True</param>
<module name="HiddenIntention">
<param name="intention">
<param name="name">addterm</param>
<param name="arg">
<param name="eventtype">search_prefix</param>
</param>
</param>

Then at the bottom of the view, add a closing </module> tag before the closing </view> tag.

If you haven't used advanced XML, I would seriously recommend taking the class or if you have more time, reading "About advanced XML"

sideview
SplunkTrust
SplunkTrust

If the user uses other streaming commands in their searches, this addterm intention will add the 'eventtype=search_prefix' term to the end of the search clause. I can post another answer using Sideview Utils that's a little more flexible, just as simple and that doesn't use intentions.

0 Karma

MikhailArefiev
Explorer

Thanks! This is exactly what I was looking for.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...