Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Need Help Restricting Results

menkurau
Path Finder
‎08-27-2012 11:02 AM

I am trying to provide our data center customers a view of their firewall permits and denies (based on cisco fwsm logs). The requirements I have been given are to restrict what a customer can search for to either events for their source or destination and by period of time the own the IP. Also, this cannot be a separate app. I need to figure out a way to restrict certain events to certain users based on the source and destination IP and time.

I have a lookup file that specifies a subnet for CIDR matching and has columns for mapping ownership to a customer by IP. The lookup also has a column to reference a date code for both the source and destination IP so I can exclude results by event time.

I have a search that fulfills the requirements, however, I can't figure out a way to restrict results by role. It is a pipeline search, so I can't create an eventtype. My understanding of summary indicies preclude their use. My thinking is the only way to do it is to create an app, but the requirements specify no.

Here is an example of one of the searches:

owner_src="FAC" OR owner_dst="FAC" type="Built" OR type="Deny" 
| convert timeformat="%m%d%y" ctime(_time) as c_time 
| eval owner_valid_src = if(c_time >= date_filter_src, "Yes", "No") 
| eval owner_valid_dst = if(c_time >= date_filter_dst, "Yes", "No") 
| search owner_valid_src="yes" OR owner_valid_dst="yes"
Tags (1)
Reply

dart
Splunk Employee
Splunk Employee
‎09-05-2012 02:44 AM

I think you want to convert your lookup to be an automatic time based lookup, and then use the search filter in the role for each customer on the owner_src and owner_dst fields. That way you do not need the convert, evals and 2nd search.

0 Karma
Reply

menkurau
Path Finder
‎08-27-2012 12:17 PM

Currently four, but there are likely to be more as we add new customers.

0 Karma
Reply

jonuwz
Influencer
‎08-27-2012 12:08 PM

How many roles will this scale to ?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...