Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Why is Restrict Search Terms not working
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I want to restrict a given role's access to the data in Splunk by using 'Restrict search terms' under access controls. First I tried to restrict based on tag...ie. tag=mytag. This didn't work, so I tried to restrict on one host value...ie. host=hostname. This isn't working either.
I am attempting this on a standalone search head in a distributed environment with an indexer cluster. I will apply this to my search head cluster when it is functional. It might also be useful to know that the role I'm modifying does have another role that is inherited which has its own restrict search terms configured. We're using Splunk 6.3.0.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There must have been a conflict with using 'restrict search terms' on the role I was modifying and the inherited role. I was able to resolve this issue by removing the inherited role. Of course after doing this I needed to apply all of the settings from the inherited role to the role I was modifying.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi!
I am running on the same issue as you did but on splunk 8.0.5. No roles are inherited and only search is granted to the user, but the search terms for the restrict search are not working at all and the user can see all the data.
Thanks in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dflodstrom is correct; the issue is the inherited role, but you don't have to remove the inherited role to resolve. You just need to set a value (any value) in the restrict search term parameter value. If it's blank, Splunk takes the inherited value from the role. Simply setting the value to '*' will override the inherited values.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dflodstrom is correct; there is a conflict with the inherited role, but you don't have to remove the inherited role to resolve the conflict. Rather than clear the restrict search term value, you have to replace it with a value. If you want no restrictions, replace the value with a "*" which will override the parameter's value from the inherited role.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There must have been a conflict with using 'restrict search terms' on the role I was modifying and the inherited role. I was able to resolve this issue by removing the inherited role. Of course after doing this I needed to apply all of the settings from the inherited role to the role I was modifying.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
