Smart AnSwerS #45
Hey there community and welcome to the 45th installment of Smart AnSwerS.
We’re back in action after a much needed Thanksgiving break, and what better way to get back into the groove of all things Splunk with the SplunkTrust Virtual .conf session #3 happening tomorrow on Tuesday, December 1st, 2015 @ 11:00AM PST. Everyone is welcome as SplunkTrust member Gregg Woodcock presents on “The “Gotchas” of Splunk!” covering simple mistakes to make that are easy to overlook, difficult to diagnose, and can cause significant problems in your environment. Join us via WebEx and get your Splunk clue on!
Check out this week’s featured Splunk Answers posts:
How to apply search filters for user roles on lookup table content?
dstaulcu wanted to restrict Splunk users to only search and view lookup table content relating to resources in their respective branch offices. After mapping branch office user groups to corresponding Splunk user roles, dstaulcu couldn’t figure out how to configure and apply search filters to get this to work. Lucas K points out that the search filters seem to only apply to actual events as there is no litsearch for an inputlookup. Check out his workaround splitting the single lookup into multiple lookups by branch, naming them accordingly, and applying permissions to each role so searching with a wildcard will block other branch lookups from being searched.
I want to use “$result” in my alert messages, but it doesn’t work.
Sr. Splunk Advisory Engineer davidpaper decided to share a useful tip for the community to understand how to use result tokens in alert messages, an issue many users come across and have posted about previously on Answers. He explains that transforming commands can’t be used and shows an example of what would and would not work, using the stats as an example.
Thanks for reading!
Missed out on the first forty-four Smart AnSwerS blog posts? Check ‘em out here!