Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to build a srchFilter when two indexes are allowed?

Clovisa
Path Finder
‎07-17-2018 06:20 AM

Hello,

I am trying to build a role that would allow the users to access to two indexes (index1 and index2). The index1 has a field called parameter and I want the role to restrict search filter to parameter=value. But when I do this (see code below), I don't have access anymore to my index2. How could I avoid this ?

Thanks !

[role_test]
cumulativeRTSrchJobsQuota = 0
cumulativeSrchJobsQuota = 0
importRoles = user
srchIndexesAllowed = index1, index2
srchIndexesDefault = index1
srchFilter = parameter=value
srchMaxTime = 0
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kmorris_splunk
Splunk Employee
Splunk Employee
‎07-17-2018 06:34 AM

By applying a restrictive search you are limiting the data they can see to a subset of the index(es) the role can see. Since index2 does not have a parameter field, you are removing index2 from the scope for that role.

You will need to do an OR in the search so that it covers all of the data they can see. For example:

(index=index1 parameter=value) OR (index=index2)

View solution in original post

Reply
Solved! Jump to solution
Solution

kmorris_splunk
Splunk Employee
Splunk Employee
‎07-17-2018 06:34 AM

By applying a restrictive search you are limiting the data they can see to a subset of the index(es) the role can see. Since index2 does not have a parameter field, you are removing index2 from the scope for that role.

You will need to do an OR in the search so that it covers all of the data they can see. For example:

(index=index1 parameter=value) OR (index=index2)
Reply
Solved! Jump to solution

Clovisa
Path Finder
‎07-17-2018 06:55 AM

Perfect thanks 🙂

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...