Solved: How to restrict searches that use wildcards in the...

lassel · ‎04-27-2015

For audit and performance reasons, I want to educate (force) my users to always explicitly provide the index(es) that they want to search.
First I have made sure that no default indexes are searched.

Secondly I would like to limit the searches. Can I limit searches that use wildcard in index?
E.g. index=* index=test* index=*test

I am aware that "Access Controls > Roles" has a "Restrict search terms" field, but I can't find any documentation or examples on what I want to do.

lassel · ‎05-12-2015

Got this answer from Splunk support:

With regards to your index=* question, the answer is currently "no"

With our current set of roles and capabilities, we do not have a method by which to restrict the use of wild-cards in search strings.

Currently, the best practice here is to define roles that restrict access to only the necessary indexes and educate your users on Search & Reporting best practices so that they build efficient search queries.

View solution in original post

lassel · ‎05-12-2015

Got this answer from Splunk support:

With regards to your index=* question, the answer is currently "no"

With our current set of roles and capabilities, we do not have a method by which to restrict the use of wild-cards in search strings.

Currently, the best practice here is to define roles that restrict access to only the necessary indexes and educate your users on Search & Reporting best practices so that they build efficient search queries.

lassel · ‎05-01-2015

Can somebody confirm if what I want is impossible?

I conclude that it is impossible using "Restrict search terms", but is there another way?

stephane_cyrill · ‎04-27-2015

Hi, it is simple,just create a role for these users and make a restriction on these search terms (index =........).

to do it in splunk web:

setting > access control > roles >add new
under search restrictions, put what you want to be restricted (index= index=test OR index=*test)

Do not forget to specify to whom the role should be apply.

stephane_cyrill · ‎04-27-2015

I'm not sure we can use regex, the error you have ,was is not the goal( to hinder a user to do such a search?)

If the usage of wildcard * is more global than wath you want, try to list precise search terms.Read the note under the text box of SEARCH TERMS RESTRICTION.

lassel · ‎04-27-2015

From the administration page:

Search restrictions
Restrict the scope of searches run by this role. Search results for this role will only show events that also match this search string.

Can include source, host, index (can be set below), eventtype, sourcetype, search fields, , and OR and AND. Example: "`host=web OR source=/var/log/*`"

It seems like it is impossible to limit user queries that way I want to. Naming the precise search terms is very hard and impossible to administrate when I add new indexes. Besides. Given enough valid queries, the user can still run the wildcard queries, that I wish to limit.

Is there any other way to limit queries?

lassel · ‎04-27-2015

Thank you for your answer.

Can I use regular expressions in search restrictions?

Also will your restriction limit a user that searches on "index=foo OR index=bar*"?

lassel · ‎04-27-2015

I want to limit queries that match:
index=[^*]+

lassel · ‎04-27-2015

Doing that gives me an error on every search like this:
Error in 'SearchParser': Missing a search command before '^'. Error at position '46' of search query 'litsearch ( index=splunktest abc ) ( ( index=[^*]+'.

How to restrict searches that use wildcards in the index (ex: index=* index=test* index=*test)?

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation