I would like to implement a strategy where branch office splunk users can only see events and lookup table content relating to resources in their own branch office.
I can get the event filtering element of the strategy to work by mapping branch office user groups to a corresponding splunk user role and assigning a search filter to that role to only include hosts having naming convention of branch office resources. The only problem is that the filtering function does not seem to apply to lookup table content... For instance, a branch office user could run | inputlookup allpersonnell and their results are not constrained. I would like to be able to to constrain views of such lookup table content with controls in splunk user roles. I'm guessing the search filter function just doesn't work this way... but should it? and if not, can anyone think of a better way?
↧