Security

Splunk User search limit

Engager

Is it possible to restrict some of the user/roles from running searches for all time ?

0 Karma
1 Solution

Ultra Champion

Yes,

You can create a new role and configure this new role with a restriction.

From the authorize.conf docs:

srchTimeWin = <number>
* Maximum time span of a search, in seconds.
    * This time window limit is applied backwards from the latest time
      specified in a search.
* By default, searches are not limited to any specific time window.
* To override any search time windows from imported roles, set this to '0'
  (infinite), as the 'admin' role does.
* -1 is a special value that implies no search window has been set for this role
    * This is equivalent to not setting srchTimeWin at all, which means it
      can be easily overridden by an imported role

https://docs.splunk.com/Documentation/Splunk/8.0.2/Security/Rolesandcapabilities

View solution in original post

0 Karma

Ultra Champion

Yes,

You can create a new role and configure this new role with a restriction.

From the authorize.conf docs:

srchTimeWin = <number>
* Maximum time span of a search, in seconds.
    * This time window limit is applied backwards from the latest time
      specified in a search.
* By default, searches are not limited to any specific time window.
* To override any search time windows from imported roles, set this to '0'
  (infinite), as the 'admin' role does.
* -1 is a special value that implies no search window has been set for this role
    * This is equivalent to not setting srchTimeWin at all, which means it
      can be easily overridden by an imported role

https://docs.splunk.com/Documentation/Splunk/8.0.2/Security/Rolesandcapabilities

View solution in original post

0 Karma

Engager

Thank you @nickhillscpl it worked 🙂

0 Karma