Hi,
I want to set a limit on how far back you can retrieve data from. E.g. I don't want users to see data before September 1st 2012 so if they choose 'Last 30 days' on the standard timerangepicker, it will not return data before September 1st 2012 although data exists for August 31st 2012.
Is there a way of achieving this behaviour?
Thanks in advance for your help.
I assume you could achieve something similar by adding search restrictions for the user role(s) in question. Go to Manager -> Access Controls -> Roles ->
In the top of the form there is a text box where you can input search restrictions, e.g.
earliest = -7d
For more information, see;
http://docs.splunk.com/Documentation/Splunk/4.3.3/SearchReference/SearchTimeModifiers
UPDATE:
For clarity, the "restrict search terms" is the textbox I'm referring to. By stating
starttime=2012-09-01 timeformat=%Y-%m-%d
you should achieve what you want. The user running the search may see the blue message bar saying "timerange changed" message, as time modifiers specified in the search query overrides the time picker settings.
Hope this helps,
Kristian
There is a better way.
Go in to Manager >> Access Controls >> Roles and edit your role.
There is a setting Restrict search time range this is set to -1 by default which means all time.
Changing it to any other number indicates how many seconds anyone with that role can search. Set it to 2592000 and they will only ever see 30 days data and will get no error messages.
If the user has multiple roles, then all roles should have this set as the longest duration will prevail.
Bob
Unfortunately that does not allow an absolute limit, just a relative one.
So far it is looking like the best available solution would be perhaps to modify the options available for the timerangepicker module
Here is an earlier thread on doing a subsearch to pull out the "latest event time" and inserting that value into your search which you can then use to modify a custom time range.
http://splunk-base.splunk.com/answers/10157/custom-time-range-based-on-most-recent-event-time
I thought about your idea MuS. It's not a bad idea. I guess this could be done with summary indexing perhaps but this is an 'awkward' way of doing things. Plus there's lots of data coming into the index daily so if I use a different index to store the same data from September 1st then this has implications on storage because I now have 2 indexes being fed with the same source data.
I assume you could achieve something similar by adding search restrictions for the user role(s) in question. Go to Manager -> Access Controls -> Roles ->
In the top of the form there is a text box where you can input search restrictions, e.g.
earliest = -7d
For more information, see;
http://docs.splunk.com/Documentation/Splunk/4.3.3/SearchReference/SearchTimeModifiers
UPDATE:
For clarity, the "restrict search terms" is the textbox I'm referring to. By stating
starttime=2012-09-01 timeformat=%Y-%m-%d
you should achieve what you want. The user running the search may see the blue message bar saying "timerange changed" message, as time modifiers specified in the search query overrides the time picker settings.
Hope this helps,
Kristian
When I use earliest=-1d in Restrict search terms and search for 1 hour, I still get 1 day. So it seems it does not intersect the time range, it replaces it. Is there a way to have the time become a restriction, and not a replacement?
instead of using starttime
and timeformat
, you can always use starttimeu
or earliest
. Additionally it may be best to not use this via role-based search restrictions but instead to use it within a HiddenSearch
module for a view.
Thanks Kristian. the_restricted_index
solution above works as long as you don't have any other indexes with the same type of events in them. I guess you can always easily exclude those. This may not be efficient because I believe it will look through all of your indexes BUT it works!
Yes they will be restricted to that index. Have not really played around with it, but you might try with something like
((index=the_restricted_index starttime=xxx timeformat=yyy) OR (index!=the_restricted_index))
in the search restrictions. This works when doing it manually anyway.
By the way, it seems timeformat requires a full specification incl hours, minutes etc. The error messages will guide you on that one.
Actually, I'm thinking that specifying a particular index will mean that the role will not be able to execute searches on other indexes?
This is an interesting solution. It's good that you can place restrictions by user but I believe this will affect all indexes which wouldn't be right. I'm guessing that if I want this to work for a particular index, I would have to put index=the_index
in front of the starttime?
see update above
I hope that Splunk is working on this. Modifying the timerangepicker module is not ideal. Using the above example, I don't want to remove the 'Last 30 days' option because there will come a time where this option would be useful and would not return data before September 1st.
I agree with MarioM.
One fast and dirty thing that came up in my mind, put all data after 1st of September 2012 in a different index and grant the user read access to only this one.......
i dont believe you can do that outside modifying the timerangepicker module code...but let's see if someone has other ideas.