ITSI_summary_metrics in roles search restriction

Martinnepoleanx · ‎06-05-2021

Hi,

We are developing a query to restrict specific user role to limited services. So we create a query for restriction and we are able to add itsi_summary with serviceid but not sure how to do it for itsi_summary_metrics index. Without metrics index , users are not able see the services assigned to them through teams

Please let me know how write a query for itsi_summary_metrics with serviceid

eduncan · ‎09-03-2021

Are you trying to restrict access to the service view, or the underlying data the search returns? Metrics have no real private info except a host name so not really sure why you are restricting this way. Use teams instead from within ITSI to assign which services which members can see.

yannK · ‎09-03-2021

The itsi_summary_metrics index is a metric format
You probably cannot use the same logic that for an "event format" index.
I do not know if this possible to do a filter that works for metric, or for metric AND events.

The docs are not clear on that, they only give SPL filters examples :

https://docs.splunk.com/Documentation/Splunk/8.2.2/Security/Addandeditroles#Specify_search_restricti...

To test :

create a test user and test role
add a filter to the role
run a search as that user, and open the search inspector, you will see the "extended search" query, and see how the filter was added automatically, see if you can figure it out

ITSI_summary_metrics in roles search restriction

administration

configuration

using ITSI

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services