Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Restrict "*" Searches

jodros
Builder
‎03-28-2012 06:15 AM

Is there a way to restrict a "*" or return all results search? I have tried several times with the restricted search terms, but was unsuccessful. Just wondering if anyone has found a way of successfully implementing this. If not, I think it would make a good case for a product enhancement.

Thanks

Tags (1)
0 Karma
Reply

jodros
Builder
‎03-29-2012 05:16 AM

Ayn, bottom line, I don't want a user being able to input an "*" and hit enter in any search field, thus running a return all search. That is the end goal.

0 Karma
Reply

Ayn
Legend
‎03-28-2012 02:06 PM

I'm confused as to whether you mean that you want to restrict users from entering wildcard searches somehow, or that you want Splunk to interpret the '*' character literally instead of as a wildcard?

0 Karma
Reply

sdaniels
Splunk Employee
Splunk Employee
‎03-28-2012 01:27 PM

Look in Manager > Access Controls > Roles. Select a role and you can have it prepend searches that restrict the users in that role. That should help eliminate * searches across all data and all time.

0 Karma
Reply

jodros
Builder
‎03-29-2012 06:35 AM

Ok. That was what I was thinking as well. I have not found a successful way of using the restricted search terms to try and limit an "" search. I was successful in either allowing only an "" search or not allowing any search. Neither of those were acceptable.

Thanks

0 Karma
Reply

sdaniels
Splunk Employee
Splunk Employee
‎03-29-2012 05:46 AM

I may not be completely understanding what you are looking for if the restricted search functionality give you what you need. I don't believe there is a way to avoid users putting in a * and having it search across whatever data that user has access to.

Reply

jodros
Builder
‎03-29-2012 05:18 AM

sdaniels, I have thought about building views to limit their search actions, but I was trying to work smarter, not harder. I would like to hear more about your first suggestion. Could you elaborate a bit more?

0 Karma
Reply

sdaniels
Splunk Employee
Splunk Employee
‎03-28-2012 02:03 PM

If that doesn't work then you may want to consider specific views where you provide users drop downs and/or text fields for them to perform very specific searches based on a source type or eventtype. You could also provide specific dashboards with the data needed. In both cases you could lock down the search app to power users only so the average user can't perform large data set * searches.

0 Karma
Reply

jodros
Builder
‎03-28-2012 01:46 PM

This sounds promising. How would I configure this exactly? I have tried the restrict search terms, but that will not accomplish what I need, unless I define EVERY legal search. The restrict search terms views the "*" as a wildcard. I want it to be viewed as its character value.

0 Karma
Reply

sowings
Splunk Employee
Splunk Employee
‎03-28-2012 12:36 PM

You can include search filter strings on a per-user basis, to narrow a search to a particular index, or "host=hosta.example.com" or something like that. This is controlled in Splunk under Manager > Access Controls > Roles, labeled as "Restrict search terms". It sounds like you were on the right track, but perhaps had a problem somewhere?

Can you elaborate on the problem you had?

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...