- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to control search duration of users
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to control search duration of users
Hello Splunkers,
I want to put restrictions on the seach time period , right now one user can search for as long as they like..Now i want retrictions on it, lets say 30 min...eg he can search for longer time periods say for 3 months data but his search time shouldn't exceed beyond 30 min.
Where should i make this change
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also be aware of an entirely new feature in Splunk v7.2 called Workload Management:
https://docs.splunk.com/Documentation/Splunk/7.2.3/Workloads/Aboutworkloadmanagement
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
An hadoop-like approach...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would say that if users consistently have searches that run for over 30 minutes, you have other issues to address in the platform.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I sugest to use srchTimeWin parameter of authorize.conf which defines per role the maximum time span in seconds allowed for a search executed by a user in this role.
Source : https://docs.splunk.com/Documentation/Splunk/7.2.3/Security/Addandeditroleswithauthorizeconf
Christian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @cmahieu ..if my query discontinue after lets say 30 min then will i get latest or earliest events ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I would say to use srchTimeWin parameter of authorize.conf if your request is for Splunk Enterprise
See :https://docs.splunk.com/Documentation/Splunk/7.2.3/Security/Addandeditroleswithauthorizeconf
The answer of @pkarpushin seems to be for ITSI.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @ramprakash ,
You should configure srchMaxTime param for the group your user belongs to.
Like:
[user_group]
srchMaxTime = 30m
This parameter is described in https://docs.splunk.com/Documentation/ITSI/4.1.1/Configure/authorize.conf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Should srchMaxTime work with data models and tstats? See my question at: https://answers.splunk.com/answers/738545/trying-to-limit-search-duration-with-srchtimewin-a.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks pkarpushin
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ramprakash set the TTL values as per your needs: https://docs.splunk.com/Documentation/Splunk/latest/Admin/Limitsconf#TTL
| makeresults | eval message= "Happy Splunking!!!"
Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!
Transform your security operations with Splunk Enterprise Security
Splunk Admins and App Developers | Earn a $35 gift card!
