- Splunk Answers
- :
- Splunk Administration
- :
- Security
- :
- srcFilter by metrics index and host OR lookup valu...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello there,
we use search filters on our role management concept.
It works fine but we got stuck on the following problem:
Since some of hour hosts have a physical hostname (srv1, srv2, srv3,...) and a virtual hostname (server1-db, server2-db, server3-db, server1-web, server2-web, server3-app), we had to use a lookup table (on the search heads) in order to have the virtual names mapped to the physical hostname (which are the names identified by the splunk forwarder).
Our Lookup table look like this:
sys_name,srv_name
srv1,server-db1
srv2,server-db2
srv3,server-web1
srv4,server-web2
srv5,server-app1
srv6,server-app2
my Role settings look like this:
[role_metrics_db]
srchFilter = index=metrics AND (host=server-db* OR srv_name=server-db*)
[role_metrics_web]
srchFilter = index=metrics AND (host=server-web* OR srv_name=server-web*)
[role_metrics_app]
srchFilter = index=metrics AND (host=server-app* OR srv_name=server-app*)
Unfortunately my search filters do not recognize either the fields "sys_name" or "srv_name".
Should the search filters be done different? Does someone had the same challenge?
Any help will be appreciated.
Cheers!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After some research I could verify the I need to make an indexed Lookup, so the fields will be indexes together with the data.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After some research I could verify the I need to make an indexed Lookup, so the fields will be indexes together with the data.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think your lookup will need to be applied as an Automatic lookup for the srv_name field to be recognized at search time and work at the srchFilter role restriction level.
And probably the permissions for the CSV, Lookup Definition, and Autolookup need to all be available for the role that the restriction is being applied.
Introducing the Splunk Community Dashboard Challenge!
Get the T-shirt to Prove You Survived Splunk University Bootcamp
Wondering How to Build Resiliency in the Cloud?
