I created a Role with the following restriction:
1- origen::chile OR ( index::_audit AND user="secchi")
But still can see the data models with any origen. I can filter a data model in search and reporting like this:
2- | datamodel "Authentication" search | search Authentication.origen="chile"
But a don't know how to combine the 1 and 2 into one single restriction to include it into the Role restrict search. Any ideas?
Thank you
The key here is to only get event data with origen="chile" and datamodel Authentication with values Authentication.origen="chile" when the user "chile" logs in. The place that is the most obvios to do this is at the Role setting Role->Restrictions
From what I see, the SPL you wrote there is no filtering both.
I see, That's true.
Because where needs to be written by you.
I used append to show the two logs and then selfjoin them together.
If There is the row that has Authentication.origen field, it should be kept.
Thanks for responding. It does not seem to work. Could you please explain the logic?
Did you try? What are the query and result? I don't have any information at all, so that's all I can do.
Please look up the meaning of spl.
append and | eval origen=coalesce(origen,Authentication.origen) | selfjoin origen | where as_you_like