Hi All. I have a local instance on my laptop for demo purposes, so no complex deployment on this machine. I have created an eventype="event1" wich should be used on search filtering terms for a role in order to restrict searches. I then create a role named "role1": 1. Inheritance: none 2. Capabilities: run_collect, run_mcollect, schedule_rtsearch, search 3. Indexes: main 4. Restrictions: (index::main) AND (sourcetype::source) AND (eventtype::event) - If tested, this spl correctly returns the results I want the role to be able to search on 5. Resources: Nothing changed I then save the role and assign it to the demo user. I also restarted splunk as docs says. When I login with demo user, I can see all the events and is not filtering by the restrictions of its role. Any clue on this? Thanks!
... View more