Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Limit Users search

ramprakash
Explorer
‎02-07-2019 01:33 AM

Hi Everyone...I want to put restrictions on users search as presently users can search for as long as they like. This could result in users executing searches for many hours.

I tried to change this setting in Roles area but it is not working even after starting splunk.

Restrict Search time range

Set a maximum time window (in seconds) for searches for this role. For example, set this to '60' to restrict this role's searches to 1 minute before the most recent time specified in the search. You can also set this to '0' to explicitly make the window infinite, or '-1' to unset the window for this role (can be overridden by imported roles).

I put 30 that means 30 sec and it is not working. Users can search beyond 30 sec. Can someone help ?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

vishaltaneja070
Motivator
‎02-07-2019 02:50 AM

Hello @ramprakash

I have tried this setting and it working perfectly. are you inheriting any role like user, power as these role will override this setting as mentioned above.

create a role and just add search capability and Restrict Search time range and try.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎02-07-2019 07:52 AM

Also be aware of an entirely new feature in Splunk v7.2 called Workload Management:

https://docs.splunk.com/Documentation/Splunk/7.2.3/Workloads/Aboutworkloadmanagement

0 Karma
Reply
Solved! Jump to solution

ramprakash
Explorer
‎02-07-2019 11:58 PM

Okay my splunk version is 6.6.1

0 Karma
Reply
Solved! Jump to solution
Solution

vishaltaneja070
Motivator
‎02-07-2019 02:50 AM

Hello @ramprakash

I have tried this setting and it working perfectly. are you inheriting any role like user, power as these role will override this setting as mentioned above.

create a role and just add search capability and Restrict Search time range and try.

0 Karma
Reply
Solved! Jump to solution

ramprakash
Explorer
‎02-08-2019 12:05 AM

Yes you are correct, i am inheriting roles.

Could you please suggest me if i use 1800 in this field for all the roles. I don`t want any user to search beyond 30 min.

0 Karma
Reply
Solved! Jump to solution

vishaltaneja070
Motivator
‎02-08-2019 12:13 AM

@ramprakash

yes you can I have tried till 600 that was working good.

0 Karma
Reply
Solved! Jump to solution

ramprakash
Explorer
‎02-08-2019 04:42 AM

@vishaltaneja07011993 ..I created separate user to test the functionality but it is not working.

Problem is if i query for logs between 25 and 28 Jan. I am only getting results of 28 Jan with these settings. I don`t know why this is not reflecting correctly.

0 Karma
Reply
Solved! Jump to solution

vishaltaneja070
Motivator
‎02-08-2019 05:44 AM

@ramprakash

What is the value you have mentioned in Restrict Search time range range?

0 Karma
Reply
Solved! Jump to solution

ramprakash
Explorer
‎02-09-2019 09:00 AM

1800......

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...