Splunk Search

Restrict "*" Searches

Builder

Is there a way to restrict a "*" or return all results search? I have tried several times with the restricted search terms, but was unsuccessful. Just wondering if anyone has found a way of successfully implementing this. If not, I think it would make a good case for a product enhancement.

Thanks

Tags (1)
0 Karma

Builder

Ayn, bottom line, I don't want a user being able to input an "*" and hit enter in any search field, thus running a return all search. That is the end goal.

0 Karma

Legend

I'm confused as to whether you mean that you want to restrict users from entering wildcard searches somehow, or that you want Splunk to interpret the '*' character literally instead of as a wildcard?

0 Karma

Splunk Employee
Splunk Employee

Look in Manager > Access Controls > Roles. Select a role and you can have it prepend searches that restrict the users in that role. That should help eliminate * searches across all data and all time.

0 Karma

Builder

Ok. That was what I was thinking as well. I have not found a successful way of using the restricted search terms to try and limit an "" search. I was successful in either allowing only an "" search or not allowing any search. Neither of those were acceptable.

Thanks

0 Karma

Splunk Employee
Splunk Employee

I may not be completely understanding what you are looking for if the restricted search functionality give you what you need. I don't believe there is a way to avoid users putting in a * and having it search across whatever data that user has access to.

Builder

sdaniels, I have thought about building views to limit their search actions, but I was trying to work smarter, not harder. I would like to hear more about your first suggestion. Could you elaborate a bit more?

0 Karma

Splunk Employee
Splunk Employee

If that doesn't work then you may want to consider specific views where you provide users drop downs and/or text fields for them to perform very specific searches based on a source type or eventtype. You could also provide specific dashboards with the data needed. In both cases you could lock down the search app to power users only so the average user can't perform large data set * searches.

0 Karma

Builder

This sounds promising. How would I configure this exactly? I have tried the restrict search terms, but that will not accomplish what I need, unless I define EVERY legal search. The restrict search terms views the "*" as a wildcard. I want it to be viewed as its character value.

0 Karma

Splunk Employee
Splunk Employee

You can include search filter strings on a per-user basis, to narrow a search to a particular index, or "host=hosta.example.com" or something like that. This is controlled in Splunk under Manager > Access Controls > Roles, labeled as "Restrict search terms". It sounds like you were on the right track, but perhaps had a problem somewhere?

Can you elaborate on the problem you had?

0 Karma