You can also limit how far back a role can search within authorize.conf (srchTimeWin). We currently do this with an app on the deployer and then push to the SHC members. Example: authorize.conf [role_<role_name>]
importRoles = user
srchDiskQuota = 100
srchFilter =
srchIndexesAllowed = main
srchIndexesDefault = main
srchMaxTime = 1800
srchTimeWin = 10368000 srchTimeWin description: srchTimeWin = <integer>
* Maximum time range, in seconds, of a search.
* The Splunk software applies this search time range limit backwards from the
latest time specified for a search.
* If a user has multiple roles with distinct search time range limits, or has
roles that inherit from roles with distinct search time range limits, the
Splunk software applies the least restrictive search time range limits to
the role.
* For example, if user X has role A (srchTimeWin = 30s), role B (srchTimeWin
= 60s), and role C (srchTimeWin = 3600s), user X gets a maximum search time
range of 1 hour.
* When set to '-1', the role does not have a search time range limit. This
value can be overidden by the maximum search time range value of an inherited
role.
* When set to '0' (infinite), the role does not have a search time range limit.
This value cannot be overidden by the maximum search time range value of an
inherited role.
* This setting does not apply to real-time searches.
* Default: -1 Reference: https://docs.splunk.com/Documentation/Splunk/latest/Admin/authorizeconf
... View more