Splunk Search

Limit Users search

ramprakash
Explorer

Hi Everyone...I want to put restrictions on users search as presently users can search for as long as they like. This could result in users executing searches for many hours.

I tried to change this setting in Roles area but it is not working even after starting splunk.

Restrict Search time range

Set a maximum time window (in seconds) for searches for this role. For example, set this to '60' to restrict this role's searches to 1 minute before the most recent time specified in the search. You can also set this to '0' to explicitly make the window infinite, or '-1' to unset the window for this role (can be overridden by imported roles).

I put 30 that means 30 sec and it is not working. Users can search beyond 30 sec. Can someone help ?

0 Karma
1 Solution

vishaltaneja070
Motivator

Hello @ramprakash

I have tried this setting and it working perfectly. are you inheriting any role like user, power as these role will override this setting as mentioned above.

create a role and just add search capability and Restrict Search time range and try.

View solution in original post

0 Karma

woodcock
Esteemed Legend

Also be aware of an entirely new feature in Splunk v7.2 called Workload Management:

https://docs.splunk.com/Documentation/Splunk/7.2.3/Workloads/Aboutworkloadmanagement

0 Karma

ramprakash
Explorer

Okay my splunk version is 6.6.1

0 Karma

vishaltaneja070
Motivator

Hello @ramprakash

I have tried this setting and it working perfectly. are you inheriting any role like user, power as these role will override this setting as mentioned above.

create a role and just add search capability and Restrict Search time range and try.

0 Karma

ramprakash
Explorer

Yes you are correct, i am inheriting roles.

Could you please suggest me if i use 1800 in this field for all the roles. I don`t want any user to search beyond 30 min.

0 Karma

vishaltaneja070
Motivator

@ramprakash

yes you can I have tried till 600 that was working good.

0 Karma

ramprakash
Explorer

@vishaltaneja07011993 ..I created separate user to test the functionality but it is not working.

Problem is if i query for logs between 25 and 28 Jan. I am only getting results of 28 Jan with these settings. I don`t know why this is not reflecting correctly.

0 Karma

vishaltaneja070
Motivator

@ramprakash

What is the value you have mentioned in Restrict Search time range range?

0 Karma

ramprakash
Explorer

1800......

0 Karma
Get Updates on the Splunk Community!

Security Highlights | November 2022 Newsletter

 November 2022 2022 Gartner Magic Quadrant for SIEM: Splunk Named a Leader for the 9th Year in a RowSplunk is ...

Platform Highlights | November 2022 Newsletter

 November 2022 Skill Up on Splunk with our New Builder Tech Talk SeriesCan you build it? Yes you can! *play ...

Splunk Education - Fast Start Program!

Welcome to Splunk Education! Splunk training programs are designed to enable you to get started quickly and ...