Splunk Search

How to apply search filters for user roles on lookup table content?

dstaulcu
Builder

I would like to implement a strategy where branch office Splunk users can only see events and lookup table content relating to resources in their own branch office.

I can get the event filtering element of the strategy to work by mapping branch office user groups to a corresponding Splunk user role and assigning a search filter to that role to only include hosts having naming convention of branch office resources. The only problem is that the filtering function does not seem to apply to lookup table content... For instance, a branch office user could run | inputlookup allpersonnell and their results are not constrained. I would like to be able to to constrain views of such lookup table content with controls in Splunk user roles. I'm guessing the search filter function just doesn't work this way... but should it? and if not, can anyone think of a better way?

1 Solution

Lucas_K
Motivator

Search filter is being applied to the base search. It would seem you've figured out how to use it against normal events but doesn't work against input lookups. I believe this is expected behaviour.

Search filter only seems to work on actual events. If you do an inspect there is no litsearch for an inputlookup. No modification to searchFilter seems to gets it to show up when an inputlookup is invoked.

Your best bet might be two lookup files. Limit access to each one to applicable roles/regions.

ie. allpersonnell_north and allpersonell_south change the input lookup call to a generic inputlookup allpersonell* and each set of permissions will block the other lookup for being searched.

View solution in original post

Lucas_K
Motivator

Search filter is being applied to the base search. It would seem you've figured out how to use it against normal events but doesn't work against input lookups. I believe this is expected behaviour.

Search filter only seems to work on actual events. If you do an inspect there is no litsearch for an inputlookup. No modification to searchFilter seems to gets it to show up when an inputlookup is invoked.

Your best bet might be two lookup files. Limit access to each one to applicable roles/regions.

ie. allpersonnell_north and allpersonell_south change the input lookup call to a generic inputlookup allpersonell* and each set of permissions will block the other lookup for being searched.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...