Splunk Search

Limit users searches to a most recent time

_joe
Communicator

I am looking for a way to limit user searches to only the most recent 30 days, specifically for SmartStore purposes. 

For example, if you have smartStore, you want to restrict who can search old data. Otherwise, some run-away users could cause your indexers to dump recent data.

 

Configuring Roles / Resources / "Role search time window limit" does not do this because it designates a window rather than the the most recent time. A user could still search "-30d to -60d", then "60d to -90d", etc, which results in dumping your recent data. Also, this method fails quietly (if a user searches 31 days, they have to click "jobs" to find out their search was limited - that's not good!).

Configuring Roles / Restrictions / Adding "earliest = -30d" does not do this because it overwrites the UI completely (i.e. users can no longer search just the last 60 minutes). 

The closest I have come to controlling this is adding Roles / Restrictions  "_index_earliest = -30d" but you can still trigger smartStore downloads. 

I am asking this question believing there isn't currently an answer but I'd like to at least bring awareness. 

Labels (1)
0 Karma
1 Solution

gjanders
SplunkTrust
SplunkTrust

authorize.conf in 8.2:

srchTimeEarliest = <integer>
* The earliest event time that can be searched, in seconds before the current
  wall clock time.
* If a user is a member of a role with a 'srchTimeEarliest' limit, or a role 
  that inherits from other roles with 'srchTimeEarliest' limits, the Splunk 
  platform applies the least restrictive time limit from the roles to the user.
  * For example, if a user is a member of role A (srchTimeEarliest = 86400), 
    and inherits role B (srchTimeEarliest = 3600) and role C 
    (srchTimeEarliest = -1 (default)), the user gets an effective earliest time 
    limit of 1 day (86400 seconds) ago.
* When set to '-1', the role does not have a earliest time limit. This

I believe this came with 8.2.x, I know it's not possible in 8.0.x for example 

View solution in original post

gjanders
SplunkTrust
SplunkTrust

authorize.conf in 8.2:

srchTimeEarliest = <integer>
* The earliest event time that can be searched, in seconds before the current
  wall clock time.
* If a user is a member of a role with a 'srchTimeEarliest' limit, or a role 
  that inherits from other roles with 'srchTimeEarliest' limits, the Splunk 
  platform applies the least restrictive time limit from the roles to the user.
  * For example, if a user is a member of role A (srchTimeEarliest = 86400), 
    and inherits role B (srchTimeEarliest = 3600) and role C 
    (srchTimeEarliest = -1 (default)), the user gets an effective earliest time 
    limit of 1 day (86400 seconds) ago.
* When set to '-1', the role does not have a earliest time limit. This

I believe this came with 8.2.x, I know it's not possible in 8.0.x for example 

_joe
Communicator

I guess this is a good reason to upgrade to 8.2!

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Perhaps the Workload Management admission rules can block queries from certain users that exceed 30 days.

---
If this reply helps you, Karma would be appreciated.
0 Karma

_joe
Communicator

I appreciate your statement and your time. This might be possible in the future with additional search_time_range values.

However, as I understand it, currently this isn't possible because the only filter value for search_time_range  is alltime. 

https://docs.splunk.com/Documentation/SplunkCloud/8.2.2107/Admin/CreateWLMRules

 

search_time_rangeAn absolute time range during which the rule is valid. Currently supports the value alltime only.
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Sorry about that.  It's been a while since I used that feature.  Consider suggesting a change at https://ideas.splunk.com

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Monitoring MariaDB and MySQL

In a previous post, we explored monitoring PostgreSQL and general best practices around which metrics to ...

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Splunk Federated Analytics for Amazon Security Lake

Thursday, November 21, 2024  |  11AM PT / 2PM ET Register Now Join our session to see the technical ...