Auto prepend when search in background

duenguyen · ‎12-28-2013

Hello I have csv which look like this
a@a.com,10.20.10.223,12/2/2013 20:39,www.google.com
a@a.com,10.20.10.223,12/2/2013 20:39,www.yahoo.com
a@a.com,10.20.10.223,12/2/2013 20:39,www.msn.com
b@b.com,12.12.3.444,12/2/2013 20:39,www.ask.com
b@b.com,14.15.3.344,12/2/2013 20:39,www.facebook.com
b@b.com,12.14.3.444,12/2/2013 20:39,www.tweeter.com
c@c.com,12.22.33.444,12/2/2013 20:39,www.splunk.com

Where as the first column is username, ipaddress, time and url user visit. I already successfully modified props.conf and transform.conf to map csv fields. In splunk i have user account setup for a@a.com, b@b.com and c@c.com. Is there a way when user a logged in he can only search information which only relevant to him so is with b@b.com and c@c.com. In another word when user a@a.com logged in when he type * or any search term or command so in background it will automatically prepend and run
username=a@a.com | search *

kristian_kolb · ‎12-29-2013

I think that you'd need to set that up statically as a 'search restriction' property for each role within Splunk. I.e. each user must have its own role. Workable if you 20 users, but not if you have 200.

http://docs.splunk.com/Documentation/Splunk/6.0.1/Security/Aboutusersandroles
http://docs.splunk.com/Documentation/Splunk/6.0.1/Security/Addandeditroles

/K

Auto prepend when search in background

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?