Hi one option is use authorize.conf with the next values srchTimeWin = <integer>
* Maximum time range, in seconds, of a search.
* The Splunk platform applies this search time range limit backwards ...
See more...
Hi one option is use authorize.conf with the next values srchTimeWin = <integer>
* Maximum time range, in seconds, of a search.
* The Splunk platform applies this search time range limit backwards from the
latest time specified for a search.
* If a user has multiple roles with distinct search time range limits, or has
roles that inherit from roles with distinct search time range limits,
the Splunk platform applies the least restrictive search time range limits to
the role.
* For example, if user X has role A (srchTimeWin = 30s), role B (srchTimeWin
= 60s), and role C (srchTimeWin = 3600s), user X gets a maximum search time
range of 1 hour.
* When set to '-1', the role does not have a search time range limit. This
value can be overidden by the maximum search time range value of an inherited
role.
* When set to '0' (infinite), the role does not have a search time range limit.
This value cannot be overidden by the maximum search time range value of an
inherited role.
* This setting does not apply to real-time searches.
* Default: -1
srchTimeEarliest = <integer>
* The earliest event time that can be searched, in seconds before the current
wall clock time.
* If a user is a member of a role with a 'srchTimeEarliest' limit, or a role
that inherits from other roles with 'srchTimeEarliest' limits, the Splunk
platform applies the least restrictive time limit from the roles to the user.
* For example, if a user is a member of role A (srchTimeEarliest = 86400),
and inherits role B (srchTimeEarliest = 3600) and role C
(srchTimeEarliest = -1 (default)), the user gets an effective earliest time
limit of 1 day (86400 seconds) ago.
* When set to '-1', the role does not have a earliest time limit. This
value can be overidden by the earliest time value of an inherited role.
* When set to '0' (infinite), the role does not have an earliest time limit.
This value cannot be overidden by the earliest time limit value of an
inherited role.
* This setting does not apply to real-time searches.
* Default: -1 With those you can define earliest and also search span. Just create a separate role as you normal user an use it for these users which you want to apply this restrictions. r. Ismo