Solved: Re: How do I add a Role Restriction Search Filter ...

djacquens · ‎07-27-2022

Hi, 😉

I need to add a Role Restriction Search filter on a field which is only available in one index.
My problem is that I am not sure the proper way to force this restriction on only this index?

If I add a restriction like this

"field_name"="field_value"

it works fine for the index containing the value but the others indexes return nothing.

If I add a restriction like this:

((NOT "field_name"=* ) OR ( "field_name"="field_value"))

the result seems false.

Do you have an idea of the correct field to restrict this field?

Thanks, 😊

Regards,

David

yuanliu · ‎07-28-2022

I would just go with = as it works.

View solution in original post

yuanliu · ‎07-27-2022

I assume that the intention is to allow search in that index where field_name exists only when field_name==field_value but allow all searches when searching other indices? If this is correct, how about

(index::that_index AND field_name::field_value) OR index!=that_index

djacquens · ‎07-27-2022

Thank you very much @yuanliu !

The SPL you gave me works only for me if I replace the :: by =.

(index=that_index AND field_name=field_value) OR index!=that_index

I understand this is not recommended but I don't understand how to fix it?

Thank you again,

David

yuanliu · ‎07-28-2022

I would just go with = as it works.

djacquens · ‎07-28-2022

Thank you very much @yuanliu !!

Have a great day! 😉

David

How do I add a Role Restriction Search Filter on a field available in only one index?

other

Streamline Data Ingestion With Deployment Server Essentials

Remediate Threats Faster and Simplify Investigations With Splunk Enterprise Security ...

Introduction to Splunk AI