topic Re: Restricting users from search in Splunk Search

Restricting users from search

pradeepkumarg — Mon, 19 Aug 2013 13:06:55 GMT

We have a situation where we need to restrict users to be able to search during a specific period of time. Removing search=enabled for a particular role in authorize.conf is not working. Is there a way we can achieve this for a role?

Re: Restricting users from search

sdaniels — Tue, 20 Aug 2013 17:56:52 GMT

I don't believe there is a way to restrict user search access based on time. You could certainly remove the indexes that are searchable from a role to avoid users searching on specific/all data during a specific period. That would require a restart of Splunk of course.

Re: Restricting users from search

somesoni2 — Fri, 05 Dec 2014 17:43:29 GMT

You want user to able to log in but not able to perform search on specific period like 6:00 PM to 6:00 AM?

Re: Restricting users from search

ayme — Fri, 05 Dec 2014 18:55:23 GMT

Associated with the User Role, you could add a "Restrict search terms" filter.

If for a very specific period in time you could add, for example:

(_time>1417805142.703 AND _time<1417805242.703)

Or if you want to prevent people searching data between 18h00 and 19h00 you could add the filter:

date_hour!=18

Re: Restricting users from search

pradeepkumarg — Thu, 22 Jan 2015 17:36:48 GMT

@somesoni2 Right but the timings are not fixed, it's when we know that there is going to be a users storm logging in and issuing searches to solve a very high severity issue happening in the organization, it's at that point of time we want to restrict searching only for a critical team/role to save Splunk system resources from taking a toss..