Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

To restrict searching on indexed data till a predefined timestamp

sajeeshpn
New Member
‎12-03-2018 08:45 AM

Hi,

Is there any configuration option/method in Splunk where we can restrict the searching on the indexed data (all indexes) only till a predefined timestamp. So that all the searches (including dashboards/reports) should be applied only to the data indexed till that predefined time and not afterward.

Hope for an answer soon.

Thanks,
Sajeesh

Tags (1)
0 Karma
Reply

sloshburch
Splunk Employee
Splunk Employee
‎12-10-2018 06:33 AM

Tell us more about the reason? Why is the normal time constraints insufficient?

Meanwhile, these fields might be what you're looking for:

  • _indextime: Similar to _time but relative to when the event was indexed rather than when the event occurred
  • _index_earliest: Specify the earliest _indextime for the time range of your search.
  • _index_latest: Specify the latest _indextime for the time range of your search.

Learn more:

0 Karma
Reply

kmorris_splunk
Splunk Employee
Splunk Employee
‎12-09-2018 08:58 AM

One solution might be to add a calculated field that contains the date that you want it searchable til. Then, in your role definition, create a search restriction, where the current time is less than or equal to that field.

alt text

Preview file
57 KB
0 Karma
Reply

sajeeshpn
New Member
‎12-06-2018 10:25 PM

Anybody knows an answer for this?

Thanks,
Sajeesh

0 Karma
Reply

whrg
Motivator
‎12-07-2018 12:10 AM

This is probably not the answer you were looking for, but you have the option to "Restrict search time range" on a per role basis:
"Set a maximum time window (in seconds) for searches for this role. For example, set this to '60' to restrict this role's searches to 1 minute before the most recent time specified in the search. You can also set this to '0' to explicitly make the window infinite, or '-1' to unset the window for this role (can be overridden by imported roles)."

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...