Splunk Search

prefix string to search query

manikdham
Path Finder

I am creating an app and want to prefix index= to all searches done in the app.
Is there a way this can be done. The idea is to keep the string either hidden or automatically prefix in the search query.

0 Karma

jonuwz
Influencer

You can do it per view, but not per app (as far as i'm aware)

This will add the equivalent of "NOT source=apache_log" to the beginning of all searches.

<module name="HiddenIntention">
  <param name="intention">
    <param name="name">negateterm</param>
    <param name="arg">
      <param name="source">apache_log</param>
    </param>
    <param name="flags"><list>indexed</list></param>
  </param>

One thing you need to be careful of is users bypassing this by just typeing the query in the url
i.e. https://localhost/en-GB/myapp/search/?q=search source=apache_log.

Putting this above your SumbitButton prevents that :

<module name="Gimp"/>

You can also set a prefix search based on roles : If you go to :

Manager » Access controls » Roles » your_role

There's an option to enter a restiction term applied to all searches.

John

jonuwz
Influencer

You wrap it around any searches you want to be modified by your intention. (Don't forget to close the </module>

Also, HiddenIntention might not be valid as a root module, wrap it in a GenericHeader to test

0 Karma

manikdham
Path Finder

Where do i add this module....when i add this module...my view becomes unavailable...

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...