Security

Splunk User search limit

Engager

Is it possible to restrict some of the user/roles from running searches for all time ?

0 Karma
1 Solution

Ultra Champion

Yes,

You can create a new role and configure this new role with a restriction.

From the authorize.conf docs:

srchTimeWin = <number>
* Maximum time span of a search, in seconds.
    * This time window limit is applied backwards from the latest time
      specified in a search.
* By default, searches are not limited to any specific time window.
* To override any search time windows from imported roles, set this to '0'
  (infinite), as the 'admin' role does.
* -1 is a special value that implies no search window has been set for this role
    * This is equivalent to not setting srchTimeWin at all, which means it
      can be easily overridden by an imported role

https://docs.splunk.com/Documentation/Splunk/8.0.2/Security/Rolesandcapabilities

View solution in original post

0 Karma

Ultra Champion

Yes,

You can create a new role and configure this new role with a restriction.

From the authorize.conf docs:

srchTimeWin = <number>
* Maximum time span of a search, in seconds.
    * This time window limit is applied backwards from the latest time
      specified in a search.
* By default, searches are not limited to any specific time window.
* To override any search time windows from imported roles, set this to '0'
  (infinite), as the 'admin' role does.
* -1 is a special value that implies no search window has been set for this role
    * This is equivalent to not setting srchTimeWin at all, which means it
      can be easily overridden by an imported role

https://docs.splunk.com/Documentation/Splunk/8.0.2/Security/Rolesandcapabilities

View solution in original post

0 Karma

Engager

Thank you @nickhillscpl it worked 🙂

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!