Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Security
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Security
- :
- Splunk User search limit
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
spl_unker
Explorer
02-17-2020
03:47 AM
Is it possible to restrict some of the user/roles from running searches for all time ?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nickhills
Ultra Champion
02-17-2020
03:57 AM
Yes,
You can create a new role and configure this new role with a restriction.
From the authorize.conf docs:
srchTimeWin = <number>
* Maximum time span of a search, in seconds.
* This time window limit is applied backwards from the latest time
specified in a search.
* By default, searches are not limited to any specific time window.
* To override any search time windows from imported roles, set this to '0'
(infinite), as the 'admin' role does.
* -1 is a special value that implies no search window has been set for this role
* This is equivalent to not setting srchTimeWin at all, which means it
can be easily overridden by an imported role
https://docs.splunk.com/Documentation/Splunk/8.0.2/Security/Rolesandcapabilities
If my comment helps, please give it a thumbs up!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nickhills
Ultra Champion
02-17-2020
03:57 AM
Yes,
You can create a new role and configure this new role with a restriction.
From the authorize.conf docs:
srchTimeWin = <number>
* Maximum time span of a search, in seconds.
* This time window limit is applied backwards from the latest time
specified in a search.
* By default, searches are not limited to any specific time window.
* To override any search time windows from imported roles, set this to '0'
(infinite), as the 'admin' role does.
* -1 is a special value that implies no search window has been set for this role
* This is equivalent to not setting srchTimeWin at all, which means it
can be easily overridden by an imported role
https://docs.splunk.com/Documentation/Splunk/8.0.2/Security/Rolesandcapabilities
If my comment helps, please give it a thumbs up!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
spl_unker
Explorer
02-17-2020
06:04 AM
Thank you @nickhillscpl it worked 🙂
Get Updates on the Splunk Community!
Data-Driven Success: Splunk & Financial Services
Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...
Video | Welcome Back to Smartness, Pedro
Remember Splunk Community member, Pedro Borges? If you tuned into Episode 2 of our Smartness interview series, ...
Detector Best Practices: Static Thresholds
Introduction
In observability monitoring, static thresholds are used to monitor fixed, known values within ...
