I have a user group that I'm trying to assign access to a specific subnet of firewall traffic. Their network traverses a few firewalls that are shared. So I added in the restrict search terms;
index=newgroup OR (index=firewall dest_ip=10.1.1.0/27)
Now, for one firewall, this works just fine. The field extraction obviously happens early enough and the data is available.
But the other it doesn't. When I use the "restrict search terms" in admin role on a search, I see data from both firewalls, but that's with the filter applied at search time. If I change the filter from dest_ip=10.1.1.0/27 to just 10.1.1.* (approximating using a /24) the search works, because (guessing) there's no need for field extraction. Similarly, if I change the restriction to dest_ip=10.1.1.* it also fails to work (testing that it's not seeing the extraction vs extracting not as an IP).
The working firewall match is a Cisco firewall and the extraction is via a Cisco app (Splunk Add-on for Cisco ASA ). The other is a locally created extraction, that has been working fine (except for this). Both extractions are marked as global and readable to everyone. The functional extraction lives in the Cisco app, while the other extraction lives in the search app. But, as mentioned, both shared globally, readable for everyone.
I keep coming back to something being wrong in how the field extraction is happening, or some missing flag that needs ticking so the field extraction happens early enough that it's available to the restriction.
(all IPs changed to protect the innocent, excepting masks)
↧