Splunk Cloud Platform

Splunk Cloud Platform Admin Manual

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of SplunkCloud. Click here for the latest version.
Acrobat logo Download topic as PDF

Create admission rules to prefilter searches

Admission rules let you filter out searches automatically before they start, based on a predicate (condition) that you define. If a search meets the specified condition, the search is not executed.

A critical issue was discovered when using admission rules with an index predicate. An example of such a rule is filtering "index=*" searches. Splunk recommends that customers do not use this capability until a fix is provided in a future release.

You can use admission rules to prevent the execution of rogue searches, such as poorly written and potentially harmful searches that might consume an excessive amount of resources and interfere with critical search workloads. For example, you can create a rule to filter out wildcard searches that target all indexes, or filter out searches in the alltime time range.

You can also use admission rules to set up time-bound access to searches for roles, users, apps and so on. For example, you can create a rule that filters out all ad hoc searches from a certain role during peak business days, but allows the same role to run searches on weekends.

Admission rules have no explicit ordering. All admission rules are evaluated when a search is dispatched. If a search meets the conditions of a rule, the rule takes effect before the search is executed. If a search is already running, and you create a new admission rule that applies to that search, the running search is not affected by the new rule.

Admission rules are enabled by default for the sc_admin role. You can create a maximum of 100 admission rules per Splunk cloud deployment.

Create an admission rule using Splunk Web

To create and edit admission rules, a user's role must have the list_workload_rule and edit_workload_rule capabilities.

To create an admission rule using Splunk Web:

  1. In Splunk Web, click Settings > Workload Management.
  2. Click Add Admission Rule.
  3. Define the following fields to configure a new admission rule:
    Field Action
    Name Specify the name of the admission rule.
    Predicate (Condition) Specify a predicate (condition) that must match to trigger this rule. The predicate syntax is <type>=<value> with optional AND, OR, NOT, (). For example, app=search AND role=power triggers all searches belonging to both the Search app and the power role.

    Valid predicate types are app, role, index, user, search_type, search_mode, and search_time_range.

    For supported predicate values, see Predicate type values on this page.

    In complex predicates, AND, OR, and NOT operators must be upper case. Lower case is not supported.

    Schedule (Optional) Set a schedule for the admission rule. The schedule determines the time period during which the rule is valid.

    If set to Always On (the default), the rule remains valid indefinitely and does not expire.

    If set to Time Range, the rule is valid during the specified time range only and expires when the time range ends.

    If set to Every Day, Every Week, or Every Month, the rule becomes valid on a recurring basis during the specified time range every day, on the specified days of the week, or on the specified days of the month.

    The schedule time for an admission rule is based on the system timezone, regardless of the timezone set for an individual user in the UI.

    Action Admission rules currently support the default Filter search action only.
    User Message Enter a custom message that notifies the end user when a search triggers the admission rule action. For example, "This search meets specified admission rule conditions. The search was not executed."

    If an ad hoc search triggers the rule action, the custom message appears beneath the search bar in the Search and Reporting app. If a scheduled search triggers the action, a default message appears in scheduler.log only.

  4. Click Submit.

Example admission rules

The following examples show how you can define admission rules to filter out searches based on your use case objectives.

Example 1: Stop wildcard searches

index=* AND (NOT search_type=datamodel_acceleration)

The above rule excludes data model acceleration searches that use index=* from the filter.

Example 2: Stop all-time searches

search_time_range=alltime AND (NOT role=sc_admin) AND (NOT app=splunk_instance_monitoring)

Some monitoring searches use the alltime time range. The above rule excludes those searches from the filter.

The "View index inheritance for roles" feature also uses an alltime search. You can exclude users or roles that need to view indexes from the filter. The above rule excludes the sc_admin role.

Example 3: Do not allow certain users to run ad hoc searches at peak hours

search_type=adhoc AND role=new_users

After you define the above admission rule predicate, specify the schedule for peak hours.

For more admission rule use case examples, see Scenario 3: Create admission rules to prefilter searches.

Last modified on 12 October, 2020
Configure workload rules
Manually assign searches to workload pools

This documentation applies to the following versions of Splunk Cloud Platform: 8.0.2006, 8.0.2007

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters