How would I restrict search time range for specific indexes?

New Member

I would like to restrict searches for the majority of users on most of our indexes to a period that keeps from dipping into our cold data using the 'Restrict search time range' role property. However, how could I implement this in a way where I restrict on index1, index2, and index3, but still allow users with that role to view data over longer duration from our summary index?

Tags (2)
0 Karma

Path Finder

Unfortunately the srchTimeWin setting is on a per-role basis, not a per-index basis. You give your roles access to a set of indexes; you give them a srchTimeWin; and then they can access all of those indexes as far back as that srchTimeWin allows.

The only ways I can think of to do what you want would be ugly hacks. Example (I'm not 100% sure this will even work--it is unsupported, has unpredictable behavior, and if it goes wrong, it'll go really wrong. But I'm putting it here in the hope it'll spur other ideas):
- Assume your indexers are running in Linux
- Create two indexes: foo, bar, and baz
- Foo will be the index that admins access to get at all the data. Bar will be the index that users access to get the hotwarm data. Baz will be the summary index.
- Send all the new data to foo. Never send any data to bar. Set the index settings for bar to never expire or move any data--just have an unlimited size hotwarm.
- Stop Splunk. Delete the baz hotwarm directory (likely located in $SPLUNK_HOME/var/lib). Recreate that directory as a soft link to the foo hotwarm directory.
- Start Splunk
- Give users permission to search bar and baz, not foo. Give admins permission to search foo and baz, not bar (at least not by default). Give users permission to search any time window.
- Resulting behavior: Users can search any index as far back as they want. Splunk will see bar as being a full index (hotwarm only) made from the data in foo, but won't see that it has any data in cold storage.
- The big problems here are the risk that Splunk double-maintains the foo/bar hotwarm data in a way that breaks, as well as the difficulty of managing these duplicate indexes.

Depending on how often you need to search the cold data, another (supported!) option is to freeze all the data that would have hit cold and then thaw it whenever you need to. You can keep the frozen data on disk just like the cold so that it's fast and easy to thaw when you need it.

0 Karma


@jonmargulies @jprose Agree it could potentially work, and agree wholeheartedly that is ugly. What about this thought...

What about having two roles - a general role with time restricted on the regular indexes and the summary indexes, and a second one with unrestricted time but only on the summary indexes? As I understand it, the users with both roles would get the greater of the two access rights.

0 Karma
Get Updates on the Splunk Community!

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...