Yes, srchMaxTime in authorize.conf for the role you want to limit to.
srchMaxTime =
* Maximum amount of time that searches of users from this role will be
allowed to run.
* Once the search has been ran for this amount of time it will be auto
finalized, If the role
Yes, srchMaxTime in authorize.conf for the role you want to limit to.
srchMaxTime =
* Maximum amount of time that searches of users from this role will be
allowed to run.
* Once the search has been ran for this amount of time it will be auto
finalized, If the role
This answer is correct but do keep in mind that it's subtle when a scheduled search is auto-finalized (time limited), the GUI (at least in Splunk 7.0.x) doesn't make it super-obvious that a search has been auto-finalized.
You can see it via the gap in the timeline and also if you check the inspect job button or the info messages...in a scheduled search it is hidden within files in the dispatch directory so it's even less obvious that the auto-finalization occurred.
Bingo. So you very much introduce a situation where a user may think the search is complete and draw conclusions from the result but in reality the data set is incomplete. This is esp hard if on a dashboard.
