Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Restrict "*" Searches

jodros
Builder
‎03-28-2012 06:15 AM

Is there a way to restrict a "*" or return all results search? I have tried several times with the restricted search terms, but was unsuccessful. Just wondering if anyone has found a way of successfully implementing this. If not, I think it would make a good case for a product enhancement.

Thanks

Tags (1)
0 Karma
Reply

jodros
Builder
‎03-29-2012 05:16 AM

Ayn, bottom line, I don't want a user being able to input an "*" and hit enter in any search field, thus running a return all search. That is the end goal.

0 Karma
Reply

Ayn
Legend
‎03-28-2012 02:06 PM

I'm confused as to whether you mean that you want to restrict users from entering wildcard searches somehow, or that you want Splunk to interpret the '*' character literally instead of as a wildcard?

0 Karma
Reply

sdaniels
Splunk Employee
Splunk Employee
‎03-28-2012 01:27 PM

Look in Manager > Access Controls > Roles. Select a role and you can have it prepend searches that restrict the users in that role. That should help eliminate * searches across all data and all time.

0 Karma
Reply

jodros
Builder
‎03-29-2012 06:35 AM

Ok. That was what I was thinking as well. I have not found a successful way of using the restricted search terms to try and limit an "" search. I was successful in either allowing only an "" search or not allowing any search. Neither of those were acceptable.

Thanks

0 Karma
Reply

sdaniels
Splunk Employee
Splunk Employee
‎03-29-2012 05:46 AM

I may not be completely understanding what you are looking for if the restricted search functionality give you what you need. I don't believe there is a way to avoid users putting in a * and having it search across whatever data that user has access to.

Reply

jodros
Builder
‎03-29-2012 05:18 AM

sdaniels, I have thought about building views to limit their search actions, but I was trying to work smarter, not harder. I would like to hear more about your first suggestion. Could you elaborate a bit more?

0 Karma
Reply

sdaniels
Splunk Employee
Splunk Employee
‎03-28-2012 02:03 PM

If that doesn't work then you may want to consider specific views where you provide users drop downs and/or text fields for them to perform very specific searches based on a source type or eventtype. You could also provide specific dashboards with the data needed. In both cases you could lock down the search app to power users only so the average user can't perform large data set * searches.

0 Karma
Reply

jodros
Builder
‎03-28-2012 01:46 PM

This sounds promising. How would I configure this exactly? I have tried the restrict search terms, but that will not accomplish what I need, unless I define EVERY legal search. The restrict search terms views the "*" as a wildcard. I want it to be viewed as its character value.

0 Karma
Reply

sowings
Splunk Employee
Splunk Employee
‎03-28-2012 12:36 PM

You can include search filter strings on a per-user basis, to narrow a search to a particular index, or "host=hosta.example.com" or something like that. This is controlled in Splunk under Manager > Access Controls > Roles, labeled as "Restrict search terms". It sounds like you were on the right track, but perhaps had a problem somewhere?

Can you elaborate on the problem you had?

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...