Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Splunk User search limit

spl_unker
Explorer
‎02-17-2020 03:47 AM

Is it possible to restrict some of the user/roles from running searches for all time ?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎02-17-2020 03:57 AM

Yes,

You can create a new role and configure this new role with a restriction.

From the authorize.conf docs:

srchTimeWin = <number>
* Maximum time span of a search, in seconds.
    * This time window limit is applied backwards from the latest time
      specified in a search.
* By default, searches are not limited to any specific time window.
* To override any search time windows from imported roles, set this to '0'
  (infinite), as the 'admin' role does.
* -1 is a special value that implies no search window has been set for this role
    * This is equivalent to not setting srchTimeWin at all, which means it
      can be easily overridden by an imported role

https://docs.splunk.com/Documentation/Splunk/8.0.2/Security/Rolesandcapabilities

If my comment helps, please give it a thumbs up!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎02-17-2020 03:57 AM

Yes,

You can create a new role and configure this new role with a restriction.

From the authorize.conf docs:

srchTimeWin = <number>
* Maximum time span of a search, in seconds.
    * This time window limit is applied backwards from the latest time
      specified in a search.
* By default, searches are not limited to any specific time window.
* To override any search time windows from imported roles, set this to '0'
  (infinite), as the 'admin' role does.
* -1 is a special value that implies no search window has been set for this role
    * This is equivalent to not setting srchTimeWin at all, which means it
      can be easily overridden by an imported role

https://docs.splunk.com/Documentation/Splunk/8.0.2/Security/Rolesandcapabilities

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Solved! Jump to solution

spl_unker
Explorer
‎02-17-2020 06:04 AM

Thank you @nickhillscpl it worked 🙂

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...