Splunk Dev
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

To restrict searching on indexed data till a predefined timestamp

sajeeshpn
New Member
‎12-03-2018 08:45 AM

Hi,

Is there any configuration option/method in Splunk where we can restrict the searching on the indexed data (all indexes) only till a predefined timestamp. So that all the searches (including dashboards/reports) should be applied only to the data indexed till that predefined time and not afterward.

Hope for an answer soon.

Thanks,
Sajeesh

Tags (1)
0 Karma
Reply

sloshburch
Ultra Champion
‎12-10-2018 06:33 AM

Tell us more about the reason? Why is the normal time constraints insufficient?

Meanwhile, these fields might be what you're looking for:

  • _indextime: Similar to _time but relative to when the event was indexed rather than when the event occurred
  • _index_earliest: Specify the earliest _indextime for the time range of your search.
  • _index_latest: Specify the latest _indextime for the time range of your search.

Learn more:

0 Karma
Reply

kmorris_splunk
Splunk Employee
Splunk Employee
‎12-09-2018 08:58 AM

One solution might be to add a calculated field that contains the date that you want it searchable til. Then, in your role definition, create a search restriction, where the current time is less than or equal to that field.

alt text

Preview file
57 KB
0 Karma
Reply

sajeeshpn
New Member
‎12-06-2018 10:25 PM

Anybody knows an answer for this?

Thanks,
Sajeesh

0 Karma
Reply

whrg
Motivator
‎12-07-2018 12:10 AM

This is probably not the answer you were looking for, but you have the option to "Restrict search time range" on a per role basis:
"Set a maximum time window (in seconds) for searches for this role. For example, set this to '60' to restrict this role's searches to 1 minute before the most recent time specified in the search. You can also set this to '0' to explicitly make the window infinite, or '-1' to unset the window for this role (can be overridden by imported roles)."

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...