All Time searches best practices/exceptions

sle · ‎03-13-2024

I'm trying to create a workload management rule to prevent users from searching with "All Time".

After researching, it seems that best practice would be to not run "All Time" searches as they produce long run times and use more memory/cpu.

Are there any types of searches, users or otherwise exceptions that should be allowed to use "All Time"?

bowesmana · ‎03-13-2024

Preventing all time is a good idea because it effectively stops the time picker option from being used, so will stop less familiar users from making poor searches.

As 'All Time' sets earliest=0, if someone wants to do 'all time', it's still technically possible, as you can just search 'last 10 years' or something similar, e.g. earliest=10, which is almost all time, but not quite, so those who "know" can get around it.

isoutamo · ‎03-14-2024

Hi

one option is use authorize.conf with the next values

srchTimeWin = <integer>
* Maximum time range, in seconds, of a search.
* The Splunk platform applies this search time range limit backwards from the
  latest time specified for a search.
* If a user has multiple roles with distinct search time range limits, or has
  roles that inherit from roles with distinct search time range limits,
  the Splunk platform applies the least restrictive search time range limits to
  the role.
  * For example, if user X has role A (srchTimeWin = 30s), role B (srchTimeWin
    = 60s), and role C (srchTimeWin = 3600s), user X gets a maximum search time
    range of 1 hour.
* When set to '-1', the role does not have a search time range limit. This
  value can be overidden by the maximum search time range value of an inherited
  role.
* When set to '0' (infinite), the role does not have a search time range limit.
  This value cannot be overidden by the maximum search time range value of an
  inherited role.
* This setting does not apply to real-time searches.
* Default: -1

srchTimeEarliest = <integer>
* The earliest event time that can be searched, in seconds before the current
  wall clock time.
* If a user is a member of a role with a 'srchTimeEarliest' limit, or a role
  that inherits from other roles with 'srchTimeEarliest' limits, the Splunk
  platform applies the least restrictive time limit from the roles to the user.
  * For example, if a user is a member of role A (srchTimeEarliest = 86400),
    and inherits role B (srchTimeEarliest = 3600) and role C
    (srchTimeEarliest = -1 (default)), the user gets an effective earliest time
    limit of 1 day (86400 seconds) ago.
* When set to '-1', the role does not have a earliest time limit. This
  value can be overidden by the earliest time value of an inherited role.
* When set to '0' (infinite), the role does not have an earliest time limit.
  This value cannot be overidden by the earliest time limit value of an
  inherited role.
* This setting does not apply to real-time searches.
* Default: -1

With those you can define earliest and also search span. Just create a separate role as you normal user an use it for these users which you want to apply this restrictions.

r. Ismo

All Time searches best practices/exceptions

Observe and Secure All Apps with Splunk

What's New in Splunk Observability - August 2025

Introduction to Splunk AI

Are you a member of the Splunk Community?

All Time searches best practices/exceptions

Observe and Secure All Apps with Splunk

What's New in Splunk Observability - August 2025

Introduction to Splunk AI