- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Limit Users search
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Everyone...I want to put restrictions on users search as presently users can search for as long as they like. This could result in users executing searches for many hours.
I tried to change this setting in Roles area but it is not working even after starting splunk.
Restrict Search time range
Set a maximum time window (in seconds) for searches for this role. For example, set this to '60' to restrict this role's searches to 1 minute before the most recent time specified in the search. You can also set this to '0' to explicitly make the window infinite, or '-1' to unset the window for this role (can be overridden by imported roles).
I put 30 that means 30 sec and it is not working. Users can search beyond 30 sec. Can someone help ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @ramprakash
I have tried this setting and it working perfectly. are you inheriting any role like user, power as these role will override this setting as mentioned above.
create a role and just add search capability and Restrict Search time range and try.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also be aware of an entirely new feature in Splunk v7.2 called Workload Management:
https://docs.splunk.com/Documentation/Splunk/7.2.3/Workloads/Aboutworkloadmanagement
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay my splunk version is 6.6.1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @ramprakash
I have tried this setting and it working perfectly. are you inheriting any role like user, power as these role will override this setting as mentioned above.
create a role and just add search capability and Restrict Search time range and try.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes you are correct, i am inheriting roles.
Could you please suggest me if i use 1800 in this field for all the roles. I don`t want any user to search beyond 30 min.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ramprakash
yes you can I have tried till 600 that was working good.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@vishaltaneja07011993 ..I created separate user to test the functionality but it is not working.
Problem is if i query for logs between 25 and 28 Jan. I am only getting results of 28 Jan with these settings. I don`t know why this is not reflecting correctly.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ramprakash
What is the value you have mentioned in Restrict Search time range range?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1800......
Splunk Custom Visualizations App End of Life
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
