|
I have a long list of hosts/sources/sourcetypes I want to restrict a user to. Can I define a macro, then reference that macro when restricting the user's search terms under Manager » Access controls » Roles » myrole » Restrict search terms ? This is to prevent the long list of search terms from showing up and taking over my search page every time I execute a query. |
|
If I hear you correctly, you're looking for a more flexible alternative to giving your roles different search-filters? Assuming that to be the case, what you might find cleaner is to index the different levels of data into different indexes, and then set the index config such that the users in those roles dont actually have to type in index=foo terms or even know that any of this is happening, eg: role X - i want them to only be able to search sourcetype=foo OR sourcetype=bar index A - contains foo and bar so configure role X to search only index A by default It takes a little getting used to, but Thank you, Nick. I recommended this to the customer as well, but you've covered it much clearer detail here.
(31 Aug '10, 00:52)
hulahoop ♦
It would be nice if macros could work, as restructuring roles and indexes is an advanced admin task and can require lots of change and testing for moderate to complex Splunk environments.
(01 Sep '10, 17:21)
hulahoop ♦
|
|
I just tried it--it's not possible in Splunk 4.1.4. :( |
|
No, but you can use eventtypes or list lookups. However, if you use any of these knowledge objects, you should note that a user can override or edit them for their local context, which often defeats the purpose in a search filter. Thank you, Stephen. I appreciate the con analysis here for anyone attempting to rely on knowledge objects.
(31 Aug '10, 00:53)
hulahoop ♦
|
