Splunk Search

How to restrict searches that use wildcards in the index (ex: index=* index=test* index=*test)?

lassel
Communicator

For audit and performance reasons, I want to educate (force) my users to always explicitly provide the index(es) that they want to search.
First I have made sure that no default indexes are searched.

Secondly I would like to limit the searches. Can I limit searches that use wildcard in index?
E.g. index=* index=test* index=*test

I am aware that "Access Controls > Roles" has a "Restrict search terms" field, but I can't find any documentation or examples on what I want to do.

1 Solution

lassel
Communicator

Got this answer from Splunk support:

With regards to your index=* question, the answer is currently "no"

With our current set of roles and capabilities, we do not have a method by which to restrict the use of wild-cards in search strings.

Currently, the best practice here is to define roles that restrict access to only the necessary indexes and educate your users on Search & Reporting best practices so that they build efficient search queries.

View solution in original post

lassel
Communicator

Got this answer from Splunk support:

With regards to your index=* question, the answer is currently "no"

With our current set of roles and capabilities, we do not have a method by which to restrict the use of wild-cards in search strings.

Currently, the best practice here is to define roles that restrict access to only the necessary indexes and educate your users on Search & Reporting best practices so that they build efficient search queries.

lassel
Communicator

Can somebody confirm if what I want is impossible?

I conclude that it is impossible using "Restrict search terms", but is there another way?

0 Karma

stephane_cyrill
Builder

Hi, it is simple,just create a role for these users and make a restriction on these search terms (index =........).

to do it in splunk web:

setting > access control > roles >add new
under search restrictions, put what you want to be restricted (index= index=test OR index=*test)

Do not forget to specify to whom the role should be apply.

0 Karma

stephane_cyrill
Builder

I'm not sure we can use regex, the error you have ,was is not the goal( to hinder a user to do such a search?)

If the usage of wildcard * is more global than wath you want, try to list precise search terms.Read the note under the text box of SEARCH TERMS RESTRICTION.

0 Karma

lassel
Communicator

From the administration page:

Search restrictions
Restrict the scope of searches run by this role. Search results for this role will only show events that also match this search string.

Can include source, host, index (can be set below), eventtype, sourcetype, search fields, , and OR and AND. Example: "`host=web OR source=/var/log/*`"

It seems like it is impossible to limit user queries that way I want to. Naming the precise search terms is very hard and impossible to administrate when I add new indexes. Besides. Given enough valid queries, the user can still run the wildcard queries, that I wish to limit.

Is there any other way to limit queries?

0 Karma

lassel
Communicator

Thank you for your answer.

Can I use regular expressions in search restrictions?

Also will your restriction limit a user that searches on "index=foo OR index=bar*"?

0 Karma

lassel
Communicator

I want to limit queries that match:
index=[^*]+

0 Karma

lassel
Communicator

Doing that gives me an error on every search like this:
Error in 'SearchParser': Missing a search command before '^'. Error at position '46' of search query 'litsearch ( index=splunktest abc ) ( ( index=[^*]+'.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...