Splunk Search

Using restrict search terms to assign a user group access to a specific subnet of firewall traffic, why are only some field extractions working?

alisterwhipp
Path Finder

I have a user group that I'm trying to assign access to a specific subnet of firewall traffic. Their network traverses a few firewalls that are shared. So I added in the restrict search terms;
index=newgroup OR (index=firewall dest_ip=10.1.1.0/27)

Now, for one firewall, this works just fine. The field extraction obviously happens early enough and the data is available, but the other it doesn't. When I use the "restrict search terms" in admin role on a search, I see data from both firewalls, but that's with the filter applied at search-time. If I change the filter from dest_ip=10.1.1.0/27 to just 10.1.1.* (approximating using a /24) the search works, because (guessing) there's no need for field extraction. Similarly, if I change the restriction to dest_ip=10.1.1.*, it also fails to work (testing that it's not seeing the extraction vs extracting not as an IP).

The working firewall match is a Cisco firewall and the extraction is via a Cisco add-on (Splunk Add-on for Cisco ASA). The other is a locally created extraction, that has been working fine (except for this). Both extractions are marked as global and readable to everyone. The functional extraction lives in the Cisco add-on, while the other extraction lives in the search app. But, as mentioned, both shared globally, readable for everyone.

I keep coming back to something being wrong in how the field extraction is happening, or some missing flag that needs ticking so the field extraction happens early enough that it's available to the restriction.

(all IPs changed to protect the innocent, excepting masks)

0 Karma
1 Solution

alisterwhipp
Path Finder

And the old technique of describe your problem in detail so you can see the answer, worked again.
Field extractions living in "local" are part of "any fields or modifiers Splunk Web can overwrite".
I've moved my extractions to a new invisible app, in the default folder, and it's now working nicely.

View solution in original post

alisterwhipp
Path Finder

And the old technique of describe your problem in detail so you can see the answer, worked again.
Field extractions living in "local" are part of "any fields or modifiers Splunk Web can overwrite".
I've moved my extractions to a new invisible app, in the default folder, and it's now working nicely.

jplumsdaine22
Influencer

Thanks for marking your own answer completed, it helps a lot !

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...