Splunk Search

How to control search duration of users

ramprakash
Explorer

Hello Splunkers,

I want to put restrictions on the seach time period , right now one user can search for as long as they like..Now i want retrictions on it, lets say 30 min...eg he can search for longer time periods say for 3 months data but his search time shouldn't exceed beyond 30 min.

Where should i make this change

Tags (3)
0 Karma

woodcock
Esteemed Legend

Also be aware of an entirely new feature in Splunk v7.2 called Workload Management:

https://docs.splunk.com/Documentation/Splunk/7.2.3/Workloads/Aboutworkloadmanagement

0 Karma

ddrillic
Ultra Champion

An hadoop-like approach...

0 Karma

ddrillic
Ultra Champion

I would say that if users consistently have searches that run for over 30 minutes, you have other issues to address in the platform.

0 Karma

cmahieu
New Member

Hi,

I sugest to use srchTimeWin parameter of authorize.conf which defines per role the maximum time span in seconds allowed for a search executed by a user in this role.

Source : https://docs.splunk.com/Documentation/Splunk/7.2.3/Security/Addandeditroleswithauthorizeconf

Christian

0 Karma

ramprakash
Explorer

Thanks @cmahieu ..if my query discontinue after lets say 30 min then will i get latest or earliest events ?

0 Karma

cmahieu
New Member

Hi,

I would say to use srchTimeWin parameter of authorize.conf if your request is for Splunk Enterprise

See :https://docs.splunk.com/Documentation/Splunk/7.2.3/Security/Addandeditroleswithauthorizeconf

The answer of @pkarpushin seems to be for ITSI.

0 Karma

pkarpushin
Path Finder

Hi @ramprakash ,
You should configure srchMaxTime param for the group your user belongs to.
Like:

[user_group]
srchMaxTime = 30m

This parameter is described in https://docs.splunk.com/Documentation/ITSI/4.1.1/Configure/authorize.conf

0 Karma

simpkins1958
Contributor

Should srchMaxTime work with data models and tstats? See my question at: https://answers.splunk.com/answers/738545/trying-to-limit-search-duration-with-srchtimewin-a.html

0 Karma

ramprakash
Explorer

Thanks pkarpushin

0 Karma

niketn
Legend

@ramprakash set the TTL values as per your needs: https://docs.splunk.com/Documentation/Splunk/latest/Admin/Limitsconf#TTL

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...