https://community.splunk.com/t5/Security/Restrict-User-Search-Period/m-p/281326#M7567 <P>Hi, right ok, I understand now.</P> <P>Many thanks for the confirmation.</P> <P>Kind Regards</P> <P>Chris</P> Mon, 15 Feb 2016 08:48:06 GMT IRHM73 2016-02-15T08:48:06Z https://community.splunk.com/t5/Security/Restrict-User-Search-Period/m-p/281322#M7563 <P>Hi, I wonder whether someone could help me please.</P> <P>I know that I can restrict a users 'search period' by changing the <STRONG>'Restrict search time range'</STRONG> in the role settings, in my case 90 days.</P> <P>But I just wonder whether someone may be able to confirm for please whether the 90 days is 90 days prior to the date the search is performed i.e if the search was performed today it would be 90 prior which is 17 November 2015, or whether this restricts the user to extracting the data in 90 days chunks e.g. 1 November 2015 to 1 February 2016.</P> <P>Many thanks and kind regards</P> <P>Chris</P> Mon, 15 Feb 2016 07:06:42 GMT https://community.splunk.com/t5/Security/Restrict-User-Search-Period/m-p/281322#M7563 IRHM73 2016-02-15T07:06:42Z https://community.splunk.com/t5/Security/Restrict-User-Search-Period/m-p/281323#M7564 <P>Hello Chris,</P> <P>As mentioned in DOC <EM>Restrict search time range: specify over how large of a window of time this role can search.</EM> It sets a maximum time window (in seconds) for searches for this role. For example, set this to '60' to restrict this role's searches to 1 minute before the most recent time specified in the search. So it depends on the recent time user mentions subtracted by 90 days. So its basically making sure that user is not searching a <EM>large</EM> time range which might cause performance issues,</P> <P>latest=now (Feb 15) - User will be able to search data till 17 Nov<BR /> latest=1st Feb - User will be able to search data till 02 Nov</P> <P>Hope that clairifes</P> Mon, 15 Feb 2016 07:38:50 GMT https://community.splunk.com/t5/Security/Restrict-User-Search-Period/m-p/281323#M7564 renjith_nair 2016-02-15T07:38:50Z https://community.splunk.com/t5/Security/Restrict-User-Search-Period/m-p/281324#M7565 <P>Hi @renjith.nair, thank you very much for coming back to me with this and forgive the dumb question, I blame it on an early start, so basically a user via a timepicker can select any date and always only be able to go back 90 days?</P> <P>Many thanks and kind regards</P> <P>Chris</P> Mon, 15 Feb 2016 07:48:28 GMT https://community.splunk.com/t5/Security/Restrict-User-Search-Period/m-p/281324#M7565 IRHM73 2016-02-15T07:48:28Z https://community.splunk.com/t5/Security/Restrict-User-Search-Period/m-p/281325#M7566 <P>Hello Chris, the user can select any timerange but the events will be picked only from -90th day for normal searches like index=*. </P> <P>To validate this, </P> <UL> <LI>Create a role with this restriction</LI> <LI>Create a user and assign to this role</LI> <LI>Select time range to last 6 months</LI> <LI>Run the search <CODE>index=*|stats earliest(_time) as _time</CODE></LI> </UL> <P>You will be able to see the earliest time as 17 Nov (if you haven't mentioned latest time and defaults to now)</P> Mon, 15 Feb 2016 08:25:43 GMT https://community.splunk.com/t5/Security/Restrict-User-Search-Period/m-p/281325#M7566 renjith_nair 2016-02-15T08:25:43Z https://community.splunk.com/t5/Security/Restrict-User-Search-Period/m-p/281326#M7567 <P>Hi, right ok, I understand now.</P> <P>Many thanks for the confirmation.</P> <P>Kind Regards</P> <P>Chris</P> Mon, 15 Feb 2016 08:48:06 GMT https://community.splunk.com/t5/Security/Restrict-User-Search-Period/m-p/281326#M7567 IRHM73 2016-02-15T08:48:06Z