Splunk Search

Restrict searches for a role using search terms is not working

New Member

Hi All.

I have a local instance on my laptop for demo purposes, so no complex deployment on this machine.

I have created an eventype="event1" wich should be used on search filtering terms for a role in order to restrict searches.

I then create a role named "role1":

1. Inheritance: none

2. Capabilities:  run_collect, run_mcollect, schedule_rtsearch, search 

3. Indexes: main

4. Restrictions: (index::main) AND (sourcetype::source) AND (eventtype::event) - If tested, this spl correctly returns the results I want the role to be able to search on

5. Resources: Nothing changed


I then save the role and assign it to the demo user. I also restarted splunk as docs says.

When I login with demo user, I can see all the events and is not filtering by the restrictions of its role.

Any clue on this?


Labels (2)
Tags (3)
0 Karma

Path Finder

I have same problem with Splunk 7.0.

Let's assume there's a role "my_role". In my case that role had inherited role "power" and that was the problem. After switching from "power" to "user", the restriction worked.

0 Karma

Path Finder

Yes, that would do. In my case i didn't inherited any role but it all has to do with license permission. 

Search restriction works fine.

0 Karma
Get Updates on the Splunk Community!

BSides Splunk 2022 - The Call for Papers is now Open!

TLDR; Main Site: https://bsidessplunk.com CFP Site: https://bsidessplunk.com/cfp CFP Opens: December 15th, ...

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...