Splunk Search

How to apply search filters for user roles on lookup table content?

dstaulcu
Builder

I would like to implement a strategy where branch office Splunk users can only see events and lookup table content relating to resources in their own branch office.

I can get the event filtering element of the strategy to work by mapping branch office user groups to a corresponding Splunk user role and assigning a search filter to that role to only include hosts having naming convention of branch office resources. The only problem is that the filtering function does not seem to apply to lookup table content... For instance, a branch office user could run | inputlookup allpersonnell and their results are not constrained. I would like to be able to to constrain views of such lookup table content with controls in Splunk user roles. I'm guessing the search filter function just doesn't work this way... but should it? and if not, can anyone think of a better way?

1 Solution

Lucas_K
Motivator

Search filter is being applied to the base search. It would seem you've figured out how to use it against normal events but doesn't work against input lookups. I believe this is expected behaviour.

Search filter only seems to work on actual events. If you do an inspect there is no litsearch for an inputlookup. No modification to searchFilter seems to gets it to show up when an inputlookup is invoked.

Your best bet might be two lookup files. Limit access to each one to applicable roles/regions.

ie. allpersonnell_north and allpersonell_south change the input lookup call to a generic inputlookup allpersonell* and each set of permissions will block the other lookup for being searched.

View solution in original post

Lucas_K
Motivator

Search filter is being applied to the base search. It would seem you've figured out how to use it against normal events but doesn't work against input lookups. I believe this is expected behaviour.

Search filter only seems to work on actual events. If you do an inspect there is no litsearch for an inputlookup. No modification to searchFilter seems to gets it to show up when an inputlookup is invoked.

Your best bet might be two lookup files. Limit access to each one to applicable roles/regions.

ie. allpersonnell_north and allpersonell_south change the input lookup call to a generic inputlookup allpersonell* and each set of permissions will block the other lookup for being searched.

Get Updates on the Splunk Community!

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...