We have a global installation of Splunk. About 100 indexers. Each region is broken up by country. I created a macro that defines several variables like [us] definition=splunk_server=allusindexers, [asia] definition=allasiaindexers and so on.

This works great at search time to keep the searches from hitting all of the search peers. But what I need to do now is define a default whether using srchfilter or something else so that normal users, when they search are restricted to only their countries search peers. (I did get this working using srchFilter) BUT, I need for the users to be able to add in asia to either only search the Asia indexers or both the default and Asia indexers. (Would prefer the first option). To have the search string hit all of the indexers, will kill the performance of splunk, and training those users who love to just type in index=* and an ip address, well, you can guess what will happen.

Using srchFilter is an automatic AND so if defined, it does the search with the default splunk_servers AND the additionally splunk_servers which then returns no results. We do have our indexes broken out by region, but if I only want to see results in New Zealand, using just the index name will send the search request to all indexers and all indexers in that region will process the request even though only that one indexer has the data.

Anyone run into this and maybe have found a way around this?