Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Restrict User Search Period

IRHM73
Motivator
‎02-14-2016 11:06 PM

Hi, I wonder whether someone could help me please.

I know that I can restrict a users 'search period' by changing the 'Restrict search time range' in the role settings, in my case 90 days.

But I just wonder whether someone may be able to confirm for please whether the 90 days is 90 days prior to the date the search is performed i.e if the search was performed today it would be 90 prior which is 17 November 2015, or whether this restricts the user to extracting the data in 90 days chunks e.g. 1 November 2015 to 1 February 2016.

Many thanks and kind regards

Chris

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎02-14-2016 11:38 PM

Hello Chris,

As mentioned in DOC Restrict search time range: specify over how large of a window of time this role can search. It sets a maximum time window (in seconds) for searches for this role. For example, set this to '60' to restrict this role's searches to 1 minute before the most recent time specified in the search. So it depends on the recent time user mentions subtracted by 90 days. So its basically making sure that user is not searching a large time range which might cause performance issues,

latest=now (Feb 15) - User will be able to search data till 17 Nov
latest=1st Feb - User will be able to search data till 02 Nov

Hope that clairifes

Happy Splunking!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎02-14-2016 11:38 PM

Hello Chris,

As mentioned in DOC Restrict search time range: specify over how large of a window of time this role can search. It sets a maximum time window (in seconds) for searches for this role. For example, set this to '60' to restrict this role's searches to 1 minute before the most recent time specified in the search. So it depends on the recent time user mentions subtracted by 90 days. So its basically making sure that user is not searching a large time range which might cause performance issues,

latest=now (Feb 15) - User will be able to search data till 17 Nov
latest=1st Feb - User will be able to search data till 02 Nov

Hope that clairifes

Happy Splunking!
0 Karma
Reply
Solved! Jump to solution

IRHM73
Motivator
‎02-14-2016 11:48 PM

Hi @renjith.nair, thank you very much for coming back to me with this and forgive the dumb question, I blame it on an early start, so basically a user via a timepicker can select any date and always only be able to go back 90 days?

Many thanks and kind regards

Chris

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎02-15-2016 12:25 AM

Hello Chris, the user can select any timerange but the events will be picked only from -90th day for normal searches like index=*.

To validate this,

  • Create a role with this restriction
  • Create a user and assign to this role
  • Select time range to last 6 months
  • Run the search index=*|stats earliest(_time) as _time

You will be able to see the earliest time as 17 Nov (if you haven't mentioned latest time and defaults to now)

Happy Splunking!
0 Karma
Reply
Solved! Jump to solution

IRHM73
Motivator
‎02-15-2016 12:48 AM

Hi, right ok, I understand now.

Many thanks for the confirmation.

Kind Regards

Chris

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...