Splunk Search

How to apply search filters for user roles on lookup table content?

Builder

I would like to implement a strategy where branch office Splunk users can only see events and lookup table content relating to resources in their own branch office.

I can get the event filtering element of the strategy to work by mapping branch office user groups to a corresponding Splunk user role and assigning a search filter to that role to only include hosts having naming convention of branch office resources. The only problem is that the filtering function does not seem to apply to lookup table content... For instance, a branch office user could run | inputlookup allpersonnell and their results are not constrained. I would like to be able to to constrain views of such lookup table content with controls in Splunk user roles. I'm guessing the search filter function just doesn't work this way... but should it? and if not, can anyone think of a better way?

1 Solution

Motivator

Search filter is being applied to the base search. It would seem you've figured out how to use it against normal events but doesn't work against input lookups. I believe this is expected behaviour.

Search filter only seems to work on actual events. If you do an inspect there is no litsearch for an inputlookup. No modification to searchFilter seems to gets it to show up when an inputlookup is invoked.

Your best bet might be two lookup files. Limit access to each one to applicable roles/regions.

ie. allpersonnell_north and allpersonell_south change the input lookup call to a generic inputlookup allpersonell* and each set of permissions will block the other lookup for being searched.

View solution in original post

Motivator

Search filter is being applied to the base search. It would seem you've figured out how to use it against normal events but doesn't work against input lookups. I believe this is expected behaviour.

Search filter only seems to work on actual events. If you do an inspect there is no litsearch for an inputlookup. No modification to searchFilter seems to gets it to show up when an inputlookup is invoked.

Your best bet might be two lookup files. Limit access to each one to applicable roles/regions.

ie. allpersonnell_north and allpersonell_south change the input lookup call to a generic inputlookup allpersonell* and each set of permissions will block the other lookup for being searched.

View solution in original post