Splunk IT Service Intelligence

ITSI_summary_metrics in roles search restriction




We are developing a query to restrict specific user role to limited services. So we create a query for restriction and we are able to add itsi_summary with serviceid but not sure how to do it for itsi_summary_metrics index. Without metrics index , users are not able see the services assigned to them through teams


Please let me know how write a query for itsi_summary_metrics with serviceid

Labels (3)
0 Karma

Splunk Employee
Splunk Employee

Are you trying to restrict access to the service view, or the underlying data the search returns?  Metrics have no real private info except a host name so not really sure why you are restricting this way.  Use teams instead from within ITSI to assign which services which members can see.

0 Karma

Splunk Employee
Splunk Employee

The itsi_summary_metrics index is a metric format
You probably cannot use the same logic that for an "event format" index.
I do not know if this possible to do a filter that works for metric, or for metric AND events.

The docs are not clear on that, they only give SPL filters examples :


To test : 

  • create a test user and test role
  • add a filter to the role
  • run a search as that user, and open the search inspector, you will see the "extended search" query, and see how the filter was added automatically, see if you can figure it out
Tags (1)
0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!