Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Restricting users from search

pradeepkumarg
Influencer
‎08-19-2013 06:06 AM

We have a situation where we need to restrict users to be able to search during a specific period of time. Removing search=enabled for a particular role in authorize.conf is not working. Is there a way we can achieve this for a role?

0 Karma
Reply

ayme
Splunk Employee
Splunk Employee
‎12-05-2014 10:55 AM

Associated with the User Role, you could add a "Restrict search terms" filter.

If for a very specific period in time you could add, for example:

(_time>1417805142.703 AND _time<1417805242.703)

Or if you want to prevent people searching data between 18h00 and 19h00 you could add the filter:

date_hour!=18
0 Karma
Reply

somesoni2
Revered Legend
‎12-05-2014 09:43 AM

You want user to able to log in but not able to perform search on specific period like 6:00 PM to 6:00 AM?

0 Karma
Reply

pradeepkumarg
Influencer
‎01-22-2015 09:36 AM

@somesoni2 Right but the timings are not fixed, it's when we know that there is going to be a users storm logging in and issuing searches to solve a very high severity issue happening in the organization, it's at that point of time we want to restrict searching only for a critical team/role to save Splunk system resources from taking a toss..

0 Karma
Reply

sdaniels
Splunk Employee
Splunk Employee
‎08-20-2013 10:56 AM

I don't believe there is a way to restrict user search access based on time. You could certainly remove the indexes that are searchable from a role to avoid users searching on specific/all data during a specific period. That would require a restart of Splunk of course.

Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...