Splunk Search

Is it possible to use a search to limit the available events in an app?


How can I limit the available events in an app ?

Search results in the app should only return events that also match the search below

sourcetype=vxml [search dnis=27159866 | eval parentsessionid=sessionid | fields sessionid parentsessionid]

How can I accomplish this ?

Tags (3)
0 Karma


If you're being that restrictive you should consider creating a few simple form-based searches for that group of users and taking away their freestyle search interface entirely. That way this - I'm guessing newbie - group of users doesn't really need to learn SPL and stays within the boundaries set by the form developer. Unlike search term restrictions that cannot even contain a pipe the form-based approach puts no limits on your limits' complexity.

0 Karma


AFIK, you can't restrict an entire app in this way.

You can restrict a role by setting a search string, but I don't think it can be as complex as your search. But you could restrict a role to sourcetype=vxml for example. Then make the app available only to users that have that role.
That would get you partway there.

0 Karma