Deployment Architecture

Limit which search peers are used by default

redman1138
Explorer

We have a global installation of Splunk. About 100 indexers. Each region is broken up by country. I created a macro that defines several variables like [us] definition=splunk_server=allusindexers, [asia] definition=allasiaindexers and so on.

This works great at search time to keep the searches from hitting all of the search peers. But what I need to do now is define a default whether using srchfilter or something else so that normal users, when they search are restricted to only their countries search peers. (I did get this working using srchFilter) BUT, I need for the users to be able to add in asia to either only search the Asia indexers or both the default and Asia indexers. (Would prefer the first option). To have the search string hit all of the indexers, will kill the performance of splunk, and training those users who love to just type in index=* and an ip address, well, you can guess what will happen.

Using srchFilter is an automatic AND so if defined, it does the search with the default splunk_servers AND the additionally splunk_servers which then returns no results. We do have our indexes broken out by region, but if I only want to see results in New Zealand, using just the index name will send the search request to all indexers and all indexers in that region will process the request even though only that one indexer has the data.

Anyone run into this and maybe have found a way around this?

bigtyma
Communicator

Curious if you use srcFilter to explictly deny the search 'index=*' and start training users they required to either specify the indexes, or use the macros.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...