Splunk Search

Restrict searches for a role using search terms is not working

New Member

Hi All.

I have a local instance on my laptop for demo purposes, so no complex deployment on this machine.

I have created an eventype="event1" wich should be used on search filtering terms for a role in order to restrict searches.

I then create a role named "role1":

1. Inheritance: none

2. Capabilities:  run_collect, run_mcollect, schedule_rtsearch, search 

3. Indexes: main

4. Restrictions: (index::main) AND (sourcetype::source) AND (eventtype::event) - If tested, this spl correctly returns the results I want the role to be able to search on

5. Resources: Nothing changed


I then save the role and assign it to the demo user. I also restarted splunk as docs says.

When I login with demo user, I can see all the events and is not filtering by the restrictions of its role.

Any clue on this?


Labels (2)
Tags (3)
0 Karma

Path Finder

I have same problem with Splunk 7.0.

Let's assume there's a role "my_role". In my case that role had inherited role "power" and that was the problem. After switching from "power" to "user", the restriction worked.

0 Karma

Path Finder

Yes, that would do. In my case i didn't inherited any role but it all has to do with license permission. 

Search restriction works fine.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...