Solved: How to display warning based on SPL?

jonaclough · ‎05-03-2022

Is there a way of showing a warning to the user based on their SPL.

My use case is that users should not generally search indexes which are fed into an accelerated data model. Specifically it's faster and more accurate to search the network_traffic ADM than a firewall index.

gcusello · ‎05-03-2022

Hi @jonaclough,

sorry: it isn't possible to define an automatic warning because it depends only on your specific data and it's also infruenced by other factors.

The only possible approach (for my knowledge) is the definition of a list of tips to use your data to share to all your users.

A kind of quick reference guide to use your own data.

Ciao.

Giuseppe

View solution in original post

gcusello · ‎05-03-2022

Hi @jonaclough,

sorry: it isn't possible to define an automatic warning because it depends only on your specific data and it's also infruenced by other factors.

The only possible approach (for my knowledge) is the definition of a list of tips to use your data to share to all your users.

A kind of quick reference guide to use your own data.

Ciao.

Giuseppe

jonaclough · ‎05-03-2022

If admission rules had an extra rule action option "issue warning" rather than just "filter search" that would do the job.

How to display warning based on SPL?

other

Troubleshooting the OpenTelemetry Collector

Adoption of Infrastructure Monitoring at Splunk

Modern way of developing distributed application using OTel