Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Role-based search filter syntax

ww9rivers
Contributor
Wednesday

I created a search filter that looks like this:

(index=web NOT status=404) OR (index!=web)

which works to limit the role to search for events with `status!=404` in the index `web`.

However, Splunk document says this about the search filter syntax:

"When you specify search term filters, use the key::value syntax, rather than key=value, where possible, to restrict search terms to indexed fields."

So I changed that filter to:

(index::web NOT status=404) OR (NOT index::web)

 I no longer get any results at all. No error / warning either.

I guess I can use the `key=value` syntax instead. But I am curious why the `key::value` syntax does not work? Also, the document states that the `key::value` syntax provides better performance and security.

We are using Splunk Cloud, currently running version 9.3.2411.116. The document for v9.3 and v9.4 say the same thing.

Labels (1)
Labels
0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
Wednesday

@ww9rivers key::value is an index-time field which the user shouldnt be able to manipulate, however key=value is a search-time extraction, therefore they could create a private field extraction eval which would eval status=200 which would allow them to see all data in index=web - this is why the docs specify that you need to use key::value.

If you want to use status::404 then you need to extract this as an index-field. This is possible in Splunk Cloud but the solution depends on if you use a HF before sending to Splunk Cloud, basically wherever your data is parsed you need to create an index time field. For more info check out https://help.splunk.com/en/splunk-enterprise/get-started/get-data-in/9.4/configure-indexed-field-ext...

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

ww9rivers
Contributor
Wednesday

Thank you for responding.

My problem is not exactly with the "status=404" part.

My problem is that when I use the "index=web" syntax, I get results. But when I change that to "index::web" I get nothing.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
Wednesday

The :: syntax works only with indexed fields. You can't just replace = with :: for everything and expect it to work. For index you can use normal = because it's a special case.

0 Karma
Reply

ww9rivers
Contributor
Thursday

That may be true.

But the document I linked in the original post clearly states "The SPL search filter field in the 4. Restrictions tab accepts any of the following search terms:" and "index::" is listed under that literally.

Is the documentation wrong, then?

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
Thursday

OK. This is actually a bit surprising since I expected index to be a relatively border case. But it seems a simple

index::_internal

seems to work in your normal search.

So a search filter based on this condition should also work. Might need to do some testing because that is an interesting case. Can you show the literal working and not working filters?

0 Karma
Reply

ww9rivers
Contributor
yesterday

I think I got it figured out!

My search filter actually works with the :: syntax.

However, I initially had double-quotes around the value for source, which is part of the search. Once I removed the double-quotes, it started working.

So, 👇this does not work:

source::"value"

 But this does:

source::value

Thank you all for the discussion!

Reply

PickleRick
SplunkTrust
SplunkTrust
Wednesday

Limiting by search-time defined fields is pointless since any user can easily bypass such filter.

0 Karma
Reply
Get Updates on the Splunk Community!

CX Day is Coming!

Customer Experience (CX) Day is on October 7th!! We're so excited to bring back another day full of wonderful ...

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...