Hi there,
I have created an automatic lookup to separate events for different teams so that each events would be assigned a new field "team".
Then I would like to use this field as the restrict search terms for below roles:
1. team_a_admin -> Restrict search terms "team=team_a" + inherit the admin role
2. team_a_user -> Restrict search terms "team=team_a" + inherit the user role
And I found that the new role "team_a_user " is working as I expected. Those hosts not belonging to team A are filtered out.
But the role "team_a_admin" is still showing all hosts.
Tested on Splunk version 7.1 and 6.5, same result.
Would anyone know the way to use the restrict search terms for admin role?
Many thanks.
DA
↧