Dashboards & Visualizations

Limit how far back you can retrieve data regardless of timerangepicker selection

Ant1D
Motivator

Hi,

I want to set a limit on how far back you can retrieve data from. E.g. I don't want users to see data before September 1st 2012 so if they choose 'Last 30 days' on the standard timerangepicker, it will not return data before September 1st 2012 although data exists for August 31st 2012.

Is there a way of achieving this behaviour?

Thanks in advance for your help.

1 Solution

kristian_kolb
Ultra Champion

I assume you could achieve something similar by adding search restrictions for the user role(s) in question. Go to Manager -> Access Controls -> Roles -> .

In the top of the form there is a text box where you can input search restrictions, e.g.

earliest = -7d 

For more information, see;

http://docs.splunk.com/Documentation/Splunk/4.3.3/SearchReference/SearchTimeModifiers

UPDATE:

For clarity, the "restrict search terms" is the textbox I'm referring to. By stating

starttime=2012-09-01 timeformat=%Y-%m-%d 

you should achieve what you want. The user running the search may see the blue message bar saying "timerange changed" message, as time modifiers specified in the search query overrides the time picker settings.

Hope this helps,

Kristian

View solution in original post

BobM
Builder

There is a better way.

Go in to Manager >> Access Controls >> Roles and edit your role.
There is a setting Restrict search time range this is set to -1 by default which means all time.
Changing it to any other number indicates how many seconds anyone with that role can search. Set it to 2592000 and they will only ever see 30 days data and will get no error messages.

If the user has multiple roles, then all roles should have this set as the longest duration will prevail.

Bob

kristian_kolb
Ultra Champion

Unfortunately that does not allow an absolute limit, just a relative one.

0 Karma

Ant1D
Motivator

So far it is looking like the best available solution would be perhaps to modify the options available for the timerangepicker module

0 Karma

whitewool
Splunk Employee
Splunk Employee

Here is an earlier thread on doing a subsearch to pull out the "latest event time" and inserting that value into your search which you can then use to modify a custom time range.

http://splunk-base.splunk.com/answers/10157/custom-time-range-based-on-most-recent-event-time

0 Karma

Ant1D
Motivator

I thought about your idea MuS. It's not a bad idea. I guess this could be done with summary indexing perhaps but this is an 'awkward' way of doing things. Plus there's lots of data coming into the index daily so if I use a different index to store the same data from September 1st then this has implications on storage because I now have 2 indexes being fed with the same source data.

0 Karma

kristian_kolb
Ultra Champion

I assume you could achieve something similar by adding search restrictions for the user role(s) in question. Go to Manager -> Access Controls -> Roles -> .

In the top of the form there is a text box where you can input search restrictions, e.g.

earliest = -7d 

For more information, see;

http://docs.splunk.com/Documentation/Splunk/4.3.3/SearchReference/SearchTimeModifiers

UPDATE:

For clarity, the "restrict search terms" is the textbox I'm referring to. By stating

starttime=2012-09-01 timeformat=%Y-%m-%d 

you should achieve what you want. The user running the search may see the blue message bar saying "timerange changed" message, as time modifiers specified in the search query overrides the time picker settings.

Hope this helps,

Kristian

marcusnilssonmr
Path Finder

When I use earliest=-1d in Restrict search terms and search for 1 hour, I still get 1 day. So it seems it does not intersect the time range, it replaces it. Is there a way to have the time become a restriction, and not a replacement?

0 Karma

Ant1D
Motivator

instead of using starttime and timeformat, you can always use starttimeu or earliest. Additionally it may be best to not use this via role-based search restrictions but instead to use it within a HiddenSearch module for a view.

0 Karma

Ant1D
Motivator

Thanks Kristian. the_restricted_index solution above works as long as you don't have any other indexes with the same type of events in them. I guess you can always easily exclude those. This may not be efficient because I believe it will look through all of your indexes BUT it works!

0 Karma

kristian_kolb
Ultra Champion

Yes they will be restricted to that index. Have not really played around with it, but you might try with something like

((index=the_restricted_index starttime=xxx timeformat=yyy) OR (index!=the_restricted_index))

in the search restrictions. This works when doing it manually anyway.

By the way, it seems timeformat requires a full specification incl hours, minutes etc. The error messages will guide you on that one.

Ant1D
Motivator

Actually, I'm thinking that specifying a particular index will mean that the role will not be able to execute searches on other indexes?

0 Karma

Ant1D
Motivator

This is an interesting solution. It's good that you can place restrictions by user but I believe this will affect all indexes which wouldn't be right. I'm guessing that if I want this to work for a particular index, I would have to put index=the_index in front of the starttime?

0 Karma

kristian_kolb
Ultra Champion

see update above

0 Karma

Ant1D
Motivator

I hope that Splunk is working on this. Modifying the timerangepicker module is not ideal. Using the above example, I don't want to remove the 'Last 30 days' option because there will come a time where this option would be useful and would not return data before September 1st.

0 Karma

MuS
Legend

I agree with MarioM.
One fast and dirty thing that came up in my mind, put all data after 1st of September 2012 in a different index and grant the user read access to only this one.......

0 Karma

MarioM
Motivator

i dont believe you can do that outside modifying the timerangepicker module code...but let's see if someone has other ideas.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...