Splunk Dev
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

To restrict searching on indexed data till a predefined timestamp

sajeeshpn
New Member
‎12-03-2018 08:45 AM

Hi,

Is there any configuration option/method in Splunk where we can restrict the searching on the indexed data (all indexes) only till a predefined timestamp. So that all the searches (including dashboards/reports) should be applied only to the data indexed till that predefined time and not afterward.

Hope for an answer soon.

Thanks,
Sajeesh

Tags (1)
0 Karma
Reply

sloshburch
Ultra Champion
‎12-10-2018 06:33 AM

Tell us more about the reason? Why is the normal time constraints insufficient?

Meanwhile, these fields might be what you're looking for:

  • _indextime: Similar to _time but relative to when the event was indexed rather than when the event occurred
  • _index_earliest: Specify the earliest _indextime for the time range of your search.
  • _index_latest: Specify the latest _indextime for the time range of your search.

Learn more:

0 Karma
Reply

kmorris_splunk
Splunk Employee
Splunk Employee
‎12-09-2018 08:58 AM

One solution might be to add a calculated field that contains the date that you want it searchable til. Then, in your role definition, create a search restriction, where the current time is less than or equal to that field.

alt text

Preview file
57 KB
0 Karma
Reply

sajeeshpn
New Member
‎12-06-2018 10:25 PM

Anybody knows an answer for this?

Thanks,
Sajeesh

0 Karma
Reply

whrg
Motivator
‎12-07-2018 12:10 AM

This is probably not the answer you were looking for, but you have the option to "Restrict search time range" on a per role basis:
"Set a maximum time window (in seconds) for searches for this role. For example, set this to '60' to restrict this role's searches to 1 minute before the most recent time specified in the search. You can also set this to '0' to explicitly make the window infinite, or '-1' to unset the window for this role (can be overridden by imported roles)."

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...