- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to apply search filters for user roles on look...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would like to implement a strategy where branch office Splunk users can only see events and lookup table content relating to resources in their own branch office.
I can get the event filtering element of the strategy to work by mapping branch office user groups to a corresponding Splunk user role and assigning a search filter to that role to only include hosts having naming convention of branch office resources. The only problem is that the filtering function does not seem to apply to lookup table content... For instance, a branch office user could run | inputlookup allpersonnell and their results are not constrained. I would like to be able to to constrain views of such lookup table content with controls in Splunk user roles. I'm guessing the search filter function just doesn't work this way... but should it? and if not, can anyone think of a better way?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Search filter is being applied to the base search. It would seem you've figured out how to use it against normal events but doesn't work against input lookups. I believe this is expected behaviour.
Search filter only seems to work on actual events. If you do an inspect there is no litsearch for an inputlookup. No modification to searchFilter seems to gets it to show up when an inputlookup is invoked.
Your best bet might be two lookup files. Limit access to each one to applicable roles/regions.
ie. allpersonnell_north and allpersonell_south change the input lookup call to a generic inputlookup allpersonell* and each set of permissions will block the other lookup for being searched.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Search filter is being applied to the base search. It would seem you've figured out how to use it against normal events but doesn't work against input lookups. I believe this is expected behaviour.
Search filter only seems to work on actual events. If you do an inspect there is no litsearch for an inputlookup. No modification to searchFilter seems to gets it to show up when an inputlookup is invoked.
Your best bet might be two lookup files. Limit access to each one to applicable roles/regions.
ie. allpersonnell_north and allpersonell_south change the input lookup call to a generic inputlookup allpersonell* and each set of permissions will block the other lookup for being searched.
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
