How to Restrict search terms for role based on a d...

michartmann · ‎08-01-2013

We want to restrict certain usergroups possibility to search in Splunk based on a dynamic parameter

For instance
Merchant group A should have this search restriction: index=business-events merchantid=1
Merchant group B should have this search restriction: index=business-events merchantid=2

Could this be done using this search restriction: index=business-events merchantid={currentuser.merchantid}

Could this be done through a database lookup?

sideview · ‎08-02-2013

If you map these groups to Splunk Roles, then yes.

For the index part of the restriction, I would look on the roles page under "Indexes searched by default" and "Indexes" (the difference is subtle but very important). Choose which of the two you'd like to use. Possibly the answer is both. And set for both Role A and B, that they are one way or another restricted to index=business-events.

Then, for the merchantid search restriction, you can just use the "Restrict search terms" field in the role page.

eg for role A, you can set merchantid=1 under "Restrict search terms", and for role B set merchantid=2

http://docs.splunk.com/Documentation/Splunk/5.0.3/Security/Addandeditroles

jtrucks · ‎08-02-2013

At this time I'm fairly certain you can't do it this way. However, you ought to submit a feature request for this.

--
Jesse Trucks
Minister of Magic

linu1988 · ‎08-02-2013

You can mention this on Manager » Access controls » Roles » RoleName. Assign the roles to relevant user groups and specify the index. Thanks

martin_mueller · ‎08-02-2013

I highly doubt that... as a different thought, move the index restriction to the visible indexes part of the role, much better that way.

How to Restrict search terms for role based on a dynamic parameter?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life