I am looking for a way to limit user searches to only the most recent 30 days, specifically for SmartStore purposes.
For example, if you have smartStore, you want to restrict who can search old data. Otherwise, some run-away users could cause your indexers to dump recent data.
Configuring Roles / Resources / "Role search time window limit" does not do this because it designates a window rather than the the most recent time. A user could still search "-30d to -60d", then "60d to -90d", etc, which results in dumping your recent data. Also, this method fails quietly (if a user searches 31 days, they have to click "jobs" to find out their search was limited - that's not good!).
Configuring Roles / Restrictions / Adding "earliest = -30d" does not do this because it overwrites the UI completely (i.e. users can no longer search just the last 60 minutes).
The closest I have come to controlling this is adding Roles / Restrictions "_index_earliest = -30d" but you can still trigger smartStore downloads.
I am asking this question believing there isn't currently an answer but I'd like to at least bring awareness.
authorize.conf in 8.2:
srchTimeEarliest = <integer> * The earliest event time that can be searched, in seconds before the current wall clock time. * If a user is a member of a role with a 'srchTimeEarliest' limit, or a role that inherits from other roles with 'srchTimeEarliest' limits, the Splunk platform applies the least restrictive time limit from the roles to the user. * For example, if a user is a member of role A (srchTimeEarliest = 86400), and inherits role B (srchTimeEarliest = 3600) and role C (srchTimeEarliest = -1 (default)), the user gets an effective earliest time limit of 1 day (86400 seconds) ago. * When set to '-1', the role does not have a earliest time limit. This
I believe this came with 8.2.x, I know it's not possible in 8.0.x for example
authorize.conf in 8.2:
srchTimeEarliest = <integer> * The earliest event time that can be searched, in seconds before the current wall clock time. * If a user is a member of a role with a 'srchTimeEarliest' limit, or a role that inherits from other roles with 'srchTimeEarliest' limits, the Splunk platform applies the least restrictive time limit from the roles to the user. * For example, if a user is a member of role A (srchTimeEarliest = 86400), and inherits role B (srchTimeEarliest = 3600) and role C (srchTimeEarliest = -1 (default)), the user gets an effective earliest time limit of 1 day (86400 seconds) ago. * When set to '-1', the role does not have a earliest time limit. This
I believe this came with 8.2.x, I know it's not possible in 8.0.x for example
I guess this is a good reason to upgrade to 8.2!
Perhaps the Workload Management admission rules can block queries from certain users that exceed 30 days.
I appreciate your statement and your time. This might be possible in the future with additional search_time_range values.
However, as I understand it, currently this isn't possible because the only filter value for search_time_range is alltime.
https://docs.splunk.com/Documentation/SplunkCloud/8.2.2107/Admin/CreateWLMRules
search_time_range | An absolute time range during which the rule is valid. Currently supports the value alltime only. |
Sorry about that. It's been a while since I used that feature. Consider suggesting a change at https://ideas.splunk.com