Solved: how to disable "ALL time" for user role

AzmathShaik · ‎05-02-2017

hello

i have created a customized role simple_user and assigned users to. i also wanted to disable "all time" option from search bar for the user in simple_user role.

can any one help me how to configure it?

hhGA · ‎05-03-2017

Hi,

Not exactly what you're after but you can set the maximum time window for a search using srchTimeWin = <time_in_seconds> in authorize.conf.

For example, if you didn't want anyone with the simple_user role to be able to search a timeframe over a year then you would add the following:

[role_simple_user] srchTimeWin = 31536000

Note that the stanza title is in the format role_<role_name>.

Hope this helps.

View solution in original post

hhGA · ‎05-03-2017

Hi,

Not exactly what you're after but you can set the maximum time window for a search using srchTimeWin = <time_in_seconds> in authorize.conf.

For example, if you didn't want anyone with the simple_user role to be able to search a timeframe over a year then you would add the following:

[role_simple_user] srchTimeWin = 31536000

Note that the stanza title is in the format role_<role_name>.

Hope this helps.

AzmathShaik · ‎05-03-2017

Thanks your answer helped me.

but i don't want to show the option of All Time for users except ADMIN user. is it possible??

hhGA · ‎05-03-2017

You're welcome.

Unfortunately I am not aware of an configuration in Splunk that allows you to do that.

You can remove it from dashboards, but not from searches / reports.

how to disable "ALL time" for user role

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?