Hello there, we use search filters on our role management concept. It works fine but we got stuck on the following problem: Since some of hour hosts have a physical hostname (srv1, srv2, srv3,...) and a virtual hostname (server1-db, server2-db, server3-db, server1-web, server2-web, server3-app), we had to use a lookup table (on the search heads) in order to have the virtual names mapped to the physical hostname (which are the names identified by the splunk forwarder). Our Lookup table look like this: sys_name,srv_name
srv1,server-db1
srv2,server-db2
srv3,server-web1
srv4,server-web2
srv5,server-app1
srv6,server-app2 my Role settings look like this: [role_metrics_db]
srchFilter = index=metrics AND (host=server-db* OR srv_name=server-db*)
[role_metrics_web]
srchFilter = index=metrics AND (host=server-web* OR srv_name=server-web*)
[role_metrics_app]
srchFilter = index=metrics AND (host=server-app* OR srv_name=server-app*) Unfortunately my search filters do not recognize either the fields "sys_name" or "srv_name". Should the search filters be done different? Does someone had the same challenge? Any help will be appreciated. Cheers!
... View more