×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
User_Spl
New Member
Member since: ‎02-03-2026
‎02-03-2026
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎02-03-2026
Activity Feed
View All

Re: Can srchFilter use lookups dynamically?

by in Splunk Enterprise
‎02-03-2026 09:03 AM
‎02-03-2026 09:03 AM
Thank you for your response. USE CASE: - Single index (e.g., "main") containing logs from all users - Events are distinguished by a field: user_id (or owner, username, etc.) - 4000 users authenticated via (SAML) - Each user should only see their own events (where user_id matches their username) GOAL: Apply user-specific filtering WITHOUT creating 4000 individual roles. IDEAL SOLUTION (if possible): A single role with dynamic filtering: [role_users] srchFilter = user_id="$user$" Where $user$ is automatically replaced by the authenticated username. QUESTION: Does Splunk support this pattern? Can srchFilter use the $user$ variable to dynamically filter based on the logged-in username? If not, what is the recommended approach for this scenario without creating thousands of roles? Thank you for your guidance. ... View more

Can srchFilter use lookups dynamically?

by in Splunk Enterprise
‎02-03-2026 08:32 AM
‎02-03-2026 08:32 AM
Hello, Hello, I have 4000 SAML users and need to apply search restrictions dynamically from a lookup table. Question: Does srchFilter support subsearches or lookups? Example of what I want to achieve: [role_dynamic] srchFilter = [| inputlookup user_restrictions.csv | where username="$user$" | return $filter] Currently, this doesn't work. Is there a native solution without custom Python scripts? Thank you. ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎02-03-2026 08:25 AM