Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Use the "restricted search terms" of a role to filter a saved search

mdtrandco
New Member
‎02-17-2019 08:29 AM

Hello,

I have a saved search, running each day with the following output

Computer_Name | DPT | Install_status | Patch_ID

I have a dashboard in with a panel like this:

<panel>
      <title>Windows Patch Management</title>
      <single>
        <title>Windows computers</title>
        <search>
          <query>| loadjob savedsearch="MyUser:MyApp:WindowsPatches" 
| search $DPT$ | stats dc(Computer_Name)</query>
          <earliest>-30d@d</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
      </single>
</panel>

I'm facing a little issue here, I can filter using a dropdown, that's the "| search $DPT$ " where $DPT$ is a dropdown of Departments with the following Token value prefix :

  • DPT="

and the following Token value sufix

  • "

But I would like to reuse the "restricted search terms" of the user which is, for exemple : DPT="IT" in order to really restrict and not only visually. I didn't find a topic on how to retrieve this specific field, any ideas ?

Regards,

Tags (1)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-17-2019 08:36 AM

Do not use those search restrictions using search-time fields if the application is security-relevant, they're easily bypassed.
Similarly, do not use dashboard-based restrictions as those are under the control of the user's browser, and thereby easily bypassed as well.

If it's just a convenience case with no security implications you can use the currently logged in user's context via |rest to load its roles and associated search filters.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-17-2019 09:45 AM

Index permissions per role and saved searches running as owner for indexes the users should not have full access to.

0 Karma
Reply

mdtrandco
New Member
‎02-17-2019 09:08 AM

Hi Martin,

Thanks for your answer. If I have security in mind, what are the function I should look into ?

Regards,

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...