Hello I have csv which look like this
a@a.com,10.20.10.223,12/2/2013 20:39,www.google.com
a@a.com,10.20.10.223,12/2/2013 20:39,www.yahoo.com
a@a.com,10.20.10.223,12/2/2013 20:39,www.msn.com
b@b.com,12.12.3.444,12/2/2013 20:39,www.ask.com
b@b.com,14.15.3.344,12/2/2013 20:39,www.facebook.com
b@b.com,12.14.3.444,12/2/2013 20:39,www.tweeter.com
c@c.com,12.22.33.444,12/2/2013 20:39,www.splunk.com
Where as the first column is username, ipaddress, time and url user visit. I already successfully modified props.conf and transform.conf to map csv fields. In splunk i have user account setup for a@a.com, b@b.com and c@c.com. Is there a way when user a logged in he can only search information which only relevant to him so is with b@b.com and c@c.com. In another word when user a@a.com logged in when he type * or any search term or command so in background it will automatically prepend and run
username=a@a.com | search *
I think that you'd need to set that up statically as a 'search restriction' property for each role within Splunk. I.e. each user must have its own role. Workable if you 20 users, but not if you have 200.
http://docs.splunk.com/Documentation/Splunk/6.0.1/Security/Aboutusersandroles
http://docs.splunk.com/Documentation/Splunk/6.0.1/Security/Addandeditroles
/K