Deployment Architecture

How to prevent search head from searching peer by default?

eallanjr
Explorer

When setting up a distributed search peer, is it possible to NOT search the peer unless specified in the search string?

I have two zones (A & B), each with their own search head. The search head in A can search both A and B, whereas the search head in B can search zone B only (this works fine). However, I'd like A to only search A unless I specify "splunk_server=zone_b", that way I don't need to edit previous searches, dashboards, alerts I've written for zone A to include "splunk_server=zone_a".

I didn't see anything in distsearch.conf that looked like it would help, nor anything in the role definitions. Any guidance here? Thanks!

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Setting it in the default stanza should enforce that restriction for all users. That might be something you can look into.

0 Karma

eallanjr
Explorer

I suppose that could work if I create a user with that restriction and run my searches as that user... not quite the solution I'm hoping for though.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

You might be able to use 'srchFilter' in authorize.conf. To set this for all users, use the [default] stanza; use specific role stanza for set it for specific user groups.

you can specify srchFilter = splunk_server=zone_a so by default this search phrase will get appended to all searches executed (by all or by specific role-group).

http://docs.splunk.com/Documentation/Splunk/6.0.2/Admin/Authorizeconf

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...