I have a user group that I'm trying to assign access to a specific subnet of firewall traffic. Their network traverses a few firewalls that are shared. So I added in the restrict search terms;
index=newgroup OR (index=firewall dest_ip=10.1.1.0/27)
Now, for one firewall, this works just fine. The field extraction obviously happens early enough and the data is available, but the other it doesn't. When I use the "restrict search terms" in admin role on a search, I see data from both firewalls, but that's with the filter applied at search-time. If I change the filter from
dest_ip=10.1.1.0/27 to just
10.1.1.* (approximating using a /24) the search works, because (guessing) there's no need for field extraction. Similarly, if I change the restriction to
dest_ip=10.1.1.*, it also fails to work (testing that it's not seeing the extraction vs extracting not as an IP).
The working firewall match is a Cisco firewall and the extraction is via a Cisco add-on (Splunk Add-on for Cisco ASA). The other is a locally created extraction, that has been working fine (except for this). Both extractions are marked as global and readable to everyone. The functional extraction lives in the Cisco add-on, while the other extraction lives in the search app. But, as mentioned, both shared globally, readable for everyone.
I keep coming back to something being wrong in how the field extraction is happening, or some missing flag that needs ticking so the field extraction happens early enough that it's available to the restriction.
(all IPs changed to protect the innocent, excepting masks)
And the old technique of describe your problem in detail so you can see the answer, worked again.
Field extractions living in "local" are part of "any fields or modifiers Splunk Web can overwrite".
I've moved my extractions to a new invisible app, in the default folder, and it's now working nicely.
Thanks for marking your own answer completed, it helps a lot !