Is there a way to pre-set the earliest event of a ...

DATEVeG · ‎01-20-2020

Hello Splunk Community,

in order to honour privacy policies we need to limit the searches of most users/roles of an index to events younger than seven days. In cases of an emergency we want to empower an user/role to search without restriction for the full retention period of the index.
Is there any way to implement this without indexing the data twice in seperate indexes?

Thanks in advance for your help!

Regards,
Jens Wunder

DATEVeG · ‎01-21-2020

Hi Giuseppe,
thanks for the quick reply!
The way I interpret the info about the search time window limit it seems to restrict the relative maximum time range a search can have but not how far a user can go into the past.
The suggested role restriction would affect searches in all indexes. I found a suggestion which kind of goes in the same direction (https://answers.splunk.com/answers/57684/limit-how-far-back-you-can-retrieve-data-regardless-of-time...), but that also comes with severe side effects.

Regards,
Jens

gcusello · ‎01-20-2020

Hi @DATEVeG,
I didn't configured a limit like this, but you should try in two ways:
[Settings -- Roles -- your_role -- Resources -- Role search time window limit] I don't know if it's a limit to the Time Windows ao to the time period to search.

Otherwise you could put a restriction to a role [Settings -- Roles -- your_role -- Resources -- Restrictions -- SPL Search filter] inserting a restriction like index=* earliest=-7d@d.

Ciao.
Giuseppe

Is there a way to pre-set the earliest event of a search for a user?

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7