I am looking for a way to filter the events that a user can see based on the values of the event. For example, if there are events with the field 'building' and the field has values 'a' through 'z', I would want user 1 to only be able to retrieve events where the building is of a value 'a' though 'g', and user 2 could be given access to events where the building values are 'f' though 'p'. I have looked into using roles to apply filters, but those are limited to indexed fields and I will have dozens of fields in my events that will need this type of filtering, so it is not a good option. Additionally, the filtering should be secure so that there is no way for users to bypass that filtering. Any ideas? ... View more

Created a custom streaming command that concatenates an event's fields and field values into one field (since the events that we're dealing with has an unpredictable list of fields, I couldn't figure out a way to do it in SPL). When ran in a stand-alone Splunk Enterprise instance, it works fine. However, when ran in a clustered environment, it results in an error (one message per indexer node):   [<indexer hostname>] Streamed search execute failed because: Error in 'condensefields' command: External search command exited unexpectedly with non-zero error code 1..   I have the app that contains the custom command in both the search heads and indexers.   Setup: Oracle Linux Server 7.8 Splunk Enterprise 7.2.6 Search Example:   index=_audit | condensefields _time, user, action, info, _raw | table _time, user, action, info, details     App (was not able to upload compressed folder): <app> bin condensefields.py #!/usr/bin/env python import sys import os sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "lib")) from splunklib.searchcommands import \     dispatch, StreamingCommand, Configuration, Option, validators @Configuration() class CondenseFields(StreamingCommand):     """ Condense fields of an event into one field.     ##Syntax     | condensefields <fields>     ##Description     Condenses all of the fields, except ignored fields, from the event into one field in a key-value format.     """     def stream(self, events):         for event in events:             fields_to_condense = filter(lambda key: key not in self.fieldnames, event.keys())             condensed_str = ''             is_first = True             for key in fields_to_condense:                 value = event[key]                 if not value or len(value) == 0:                     continue                 if not is_first:                     condensed_str += '|'                 else:                     is_first = False                 if isinstance(value, list):                     value = '[\'' + '\', \''.join(value) + '\']'                 condensed_str += key + '=' + value             event['details'] = condensed_str             yield event dispatch(CondenseFields, sys.argv, sys.stdin, sys.stdout, __name__) default app.conf [install] is_configured = false build = 1 [ui] is_visible = false label = commands [launcher] author = Some Rando description = Provides custom commands. version = 1.0.0 commands.conf # [commands.conf]($SPLUNK_HOME/etc/system/README/commands.conf.spec) [condensefields] chunked = true searchbnf.conf # [searchbnf.conf](http://docs.splunk.com/Documentation/Splunk/latest/Admin/Searchbnfconf) [condensefields-command] syntax = condensefields shortdesc = Condense fields of an event into one field. description = Condenses all of the fields, except ignored fields, from the event into one field in a key-value format. content1 = A typical use-case where all of the fields, except for a defined subset, are condensed into the a field with the specified format. example1 = | condensefields _time, event_name, application category = streaming tags = format lib splunklib if you need it, see https://github.com/splunk/splunk-sdk-python/tree/master/splunklib and https://dev.splunk.com/enterprise/docs/devtools/customsearchcommands/createcustomsearchcmd#Install-the-Splunk-Enterprise-SDK-for-Python-in-your-app metadata default.meta [] access = read : [ * ], write : [ admin, power ] export = system ... View more