Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to restrict a user's search based on a lookup table?

bruceclarke
Contributor
‎08-08-2014 06:37 AM

Hi all,

I'm developing an app for use across different teams at my company. We have certain security restrictions about what logs each team can see. So, team A might be permissioned to see every log statement, while team B will only be allowed to see logs related to a certain server.

I have a lookup table that determines which servers each employee is permissioned to and I'd like to restrict their searches based on this. Does anyone know of a way I can do this?

Please note that all of these logs are going to the same index. They are all the same type of log, just a different server.

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

alacercogitatus
SplunkTrust
SplunkTrust
‎08-08-2014 07:14 AM

In authorize.conf, there is a setting: srchFilter = . This can also be done via the GUI Admin Manager. It takes a string of search to restrict searches. I did a preliminary test, and it worked. In that field, try this:

|rest /services/authentication/current-context | table username | lookup user_auths.csv user AS username OUTPUT host | table host | format "" "(" "OR" ")" "" ""

Replace "user_auths.csv" with your lookup name or filename. Update the "user" field to be whatever is listed in that csv.

View solution in original post

Reply
Solved! Jump to solution

strive
Influencer
‎08-08-2014 07:20 AM

More information on search filters is here http://docs.splunk.com/Documentation/Splunk/6.1.2/Security/Addandeditroles#Search_filter_format

Reply
Solved! Jump to solution
Solution

alacercogitatus
SplunkTrust
SplunkTrust
‎08-08-2014 07:14 AM

In authorize.conf, there is a setting: srchFilter = . This can also be done via the GUI Admin Manager. It takes a string of search to restrict searches. I did a preliminary test, and it worked. In that field, try this:

|rest /services/authentication/current-context | table username | lookup user_auths.csv user AS username OUTPUT host | table host | format "" "(" "OR" ")" "" ""

Replace "user_auths.csv" with your lookup name or filename. Update the "user" field to be whatever is listed in that csv.

Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎08-08-2014 07:00 AM

Create a macro to get the filter to be used for host based on your lookup and then use this macro as search filter in the team's role definition.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...