Is there a way to restrict a "*" or return all results search? I have tried several times with the restricted search terms, but was unsuccessful. Just wondering if anyone has found a way of successfully implementing this. If not, I think it would make a good case for a product enhancement.
I'm confused as to whether you mean that you want to restrict users from entering wildcard searches somehow, or that you want Splunk to interpret the '*' character literally instead of as a wildcard?
Look in Manager > Access Controls > Roles. Select a role and you can have it prepend searches that restrict the users in that role. That should help eliminate * searches across all data and all time.
Ok. That was what I was thinking as well. I have not found a successful way of using the restricted search terms to try and limit an "" search. I was successful in either allowing only an "" search or not allowing any search. Neither of those were acceptable.
I may not be completely understanding what you are looking for if the restricted search functionality give you what you need. I don't believe there is a way to avoid users putting in a * and having it search across whatever data that user has access to.
sdaniels, I have thought about building views to limit their search actions, but I was trying to work smarter, not harder. I would like to hear more about your first suggestion. Could you elaborate a bit more?
If that doesn't work then you may want to consider specific views where you provide users drop downs and/or text fields for them to perform very specific searches based on a source type or eventtype. You could also provide specific dashboards with the data needed. In both cases you could lock down the search app to power users only so the average user can't perform large data set * searches.
This sounds promising. How would I configure this exactly? I have tried the restrict search terms, but that will not accomplish what I need, unless I define EVERY legal search. The restrict search terms views the "*" as a wildcard. I want it to be viewed as its character value.
You can include search filter strings on a per-user basis, to narrow a search to a particular index, or "host=hosta.example.com" or something like that. This is controlled in Splunk under Manager > Access Controls > Roles, labeled as "Restrict search terms". It sounds like you were on the right track, but perhaps had a problem somewhere?
Can you elaborate on the problem you had?