Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

To restrict searching on indexed data till a predefined timestamp

sajeeshpn
New Member
‎12-03-2018 08:45 AM

Hi,

Is there any configuration option/method in Splunk where we can restrict the searching on the indexed data (all indexes) only till a predefined timestamp. So that all the searches (including dashboards/reports) should be applied only to the data indexed till that predefined time and not afterward.

Hope for an answer soon.

Thanks,
Sajeesh

Tags (1)
0 Karma
Reply

sloshburch
Ultra Champion
‎12-10-2018 06:33 AM

Tell us more about the reason? Why is the normal time constraints insufficient?

Meanwhile, these fields might be what you're looking for:

  • _indextime: Similar to _time but relative to when the event was indexed rather than when the event occurred
  • _index_earliest: Specify the earliest _indextime for the time range of your search.
  • _index_latest: Specify the latest _indextime for the time range of your search.

Learn more:

0 Karma
Reply

kmorris_splunk
Splunk Employee
Splunk Employee
‎12-09-2018 08:58 AM

One solution might be to add a calculated field that contains the date that you want it searchable til. Then, in your role definition, create a search restriction, where the current time is less than or equal to that field.

alt text

Preview file
57 KB
0 Karma
Reply

sajeeshpn
New Member
‎12-06-2018 10:25 PM

Anybody knows an answer for this?

Thanks,
Sajeesh

0 Karma
Reply

whrg
Motivator
‎12-07-2018 12:10 AM

This is probably not the answer you were looking for, but you have the option to "Restrict search time range" on a per role basis:
"Set a maximum time window (in seconds) for searches for this role. For example, set this to '60' to restrict this role's searches to 1 minute before the most recent time specified in the search. You can also set this to '0' to explicitly make the window infinite, or '-1' to unset the window for this role (can be overridden by imported roles)."

0 Karma
Reply
Get Updates on the Splunk Community!

What the End of Support for Splunk Add-on Builder Means for You

Hello Splunk Community! We want to share an important update regarding the future of the Splunk Add-on Builder ...

Solve, Learn, Repeat: New Puzzle Channel Now Live

Welcome to the Splunk Puzzle PlaygroundIf you are anything like me, you love to solve problems, and what ...

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...