Solved: How to build a srchFilter when two indexes are all...

Clovisa · ‎07-17-2018

Hello,

I am trying to build a role that would allow the users to access to two indexes (index1 and index2). The index1 has a field called parameter and I want the role to restrict search filter to parameter=value. But when I do this (see code below), I don't have access anymore to my index2. How could I avoid this ?

Thanks !

[role_test]
cumulativeRTSrchJobsQuota = 0
cumulativeSrchJobsQuota = 0
importRoles = user
srchIndexesAllowed = index1, index2
srchIndexesDefault = index1
srchFilter = parameter=value
srchMaxTime = 0

kmorris_splunk · ‎07-17-2018

By applying a restrictive search you are limiting the data they can see to a subset of the index(es) the role can see. Since index2 does not have a parameter field, you are removing index2 from the scope for that role.

You will need to do an OR in the search so that it covers all of the data they can see. For example:

(index=index1 parameter=value) OR (index=index2)

View solution in original post

kmorris_splunk · ‎07-17-2018

By applying a restrictive search you are limiting the data they can see to a subset of the index(es) the role can see. Since index2 does not have a parameter field, you are removing index2 from the scope for that role.

You will need to do an OR in the search so that it covers all of the data they can see. For example:

(index=index1 parameter=value) OR (index=index2)

Clovisa · ‎07-17-2018

Perfect thanks 🙂

How to build a srchFilter when two indexes are allowed?

Detecting Remote Code Executions With the Splunk Threat Research Team

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!