Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Security
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Security
- :
- Re: Splunk User search limit
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
spl_unker
Explorer
02-17-2020
03:47 AM
Is it possible to restrict some of the user/roles from running searches for all time ?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nickhills
Ultra Champion
02-17-2020
03:57 AM
Yes,
You can create a new role and configure this new role with a restriction.
From the authorize.conf docs:
srchTimeWin = <number>
* Maximum time span of a search, in seconds.
* This time window limit is applied backwards from the latest time
specified in a search.
* By default, searches are not limited to any specific time window.
* To override any search time windows from imported roles, set this to '0'
(infinite), as the 'admin' role does.
* -1 is a special value that implies no search window has been set for this role
* This is equivalent to not setting srchTimeWin at all, which means it
can be easily overridden by an imported role
https://docs.splunk.com/Documentation/Splunk/8.0.2/Security/Rolesandcapabilities
If my comment helps, please give it a thumbs up!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nickhills
Ultra Champion
02-17-2020
03:57 AM
Yes,
You can create a new role and configure this new role with a restriction.
From the authorize.conf docs:
srchTimeWin = <number>
* Maximum time span of a search, in seconds.
* This time window limit is applied backwards from the latest time
specified in a search.
* By default, searches are not limited to any specific time window.
* To override any search time windows from imported roles, set this to '0'
(infinite), as the 'admin' role does.
* -1 is a special value that implies no search window has been set for this role
* This is equivalent to not setting srchTimeWin at all, which means it
can be easily overridden by an imported role
https://docs.splunk.com/Documentation/Splunk/8.0.2/Security/Rolesandcapabilities
If my comment helps, please give it a thumbs up!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
spl_unker
Explorer
02-17-2020
06:04 AM
Thank you @nickhillscpl it worked 🙂
Get Updates on the Splunk Community!
Splunk MCP & Agentic AI: Machine Data Without Limits
Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization ...
Finding Based Detections General Availability
Overview
We’ve come a long way, folks, but here in Enterprise Security 8.4 I’m happy to announce Finding ...
Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience
Hands-On Learning and Technical Seminars
Sometimes, you just need to see the code. For those looking for a ...
