Splunk Search

Limit users searches to a most recent time

_joe
Communicator

I am looking for a way to limit user searches to only the most recent 30 days, specifically for SmartStore purposes. 

For example, if you have smartStore, you want to restrict who can search old data. Otherwise, some run-away users could cause your indexers to dump recent data.

 

Configuring Roles / Resources / "Role search time window limit" does not do this because it designates a window rather than the the most recent time. A user could still search "-30d to -60d", then "60d to -90d", etc, which results in dumping your recent data. Also, this method fails quietly (if a user searches 31 days, they have to click "jobs" to find out their search was limited - that's not good!).

Configuring Roles / Restrictions / Adding "earliest = -30d" does not do this because it overwrites the UI completely (i.e. users can no longer search just the last 60 minutes). 

The closest I have come to controlling this is adding Roles / Restrictions  "_index_earliest = -30d" but you can still trigger smartStore downloads. 

I am asking this question believing there isn't currently an answer but I'd like to at least bring awareness. 

Labels (1)
0 Karma
1 Solution

gjanders
SplunkTrust
SplunkTrust

authorize.conf in 8.2:

srchTimeEarliest = <integer>
* The earliest event time that can be searched, in seconds before the current
  wall clock time.
* If a user is a member of a role with a 'srchTimeEarliest' limit, or a role 
  that inherits from other roles with 'srchTimeEarliest' limits, the Splunk 
  platform applies the least restrictive time limit from the roles to the user.
  * For example, if a user is a member of role A (srchTimeEarliest = 86400), 
    and inherits role B (srchTimeEarliest = 3600) and role C 
    (srchTimeEarliest = -1 (default)), the user gets an effective earliest time 
    limit of 1 day (86400 seconds) ago.
* When set to '-1', the role does not have a earliest time limit. This

I believe this came with 8.2.x, I know it's not possible in 8.0.x for example 

View solution in original post

gjanders
SplunkTrust
SplunkTrust

authorize.conf in 8.2:

srchTimeEarliest = <integer>
* The earliest event time that can be searched, in seconds before the current
  wall clock time.
* If a user is a member of a role with a 'srchTimeEarliest' limit, or a role 
  that inherits from other roles with 'srchTimeEarliest' limits, the Splunk 
  platform applies the least restrictive time limit from the roles to the user.
  * For example, if a user is a member of role A (srchTimeEarliest = 86400), 
    and inherits role B (srchTimeEarliest = 3600) and role C 
    (srchTimeEarliest = -1 (default)), the user gets an effective earliest time 
    limit of 1 day (86400 seconds) ago.
* When set to '-1', the role does not have a earliest time limit. This

I believe this came with 8.2.x, I know it's not possible in 8.0.x for example 

_joe
Communicator

I guess this is a good reason to upgrade to 8.2!

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Perhaps the Workload Management admission rules can block queries from certain users that exceed 30 days.

---
If this reply helps you, Karma would be appreciated.
0 Karma

_joe
Communicator

I appreciate your statement and your time. This might be possible in the future with additional search_time_range values.

However, as I understand it, currently this isn't possible because the only filter value for search_time_range  is alltime. 

https://docs.splunk.com/Documentation/SplunkCloud/8.2.2107/Admin/CreateWLMRules

 

search_time_rangeAn absolute time range during which the rule is valid. Currently supports the value alltime only.
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Sorry about that.  It's been a while since I used that feature.  Consider suggesting a change at https://ideas.splunk.com

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...