You can also limit how far back a role can search within authorize.conf (srchTimeWin). We currently do this with an app on the deployer and then push to the SHC members. Example: authorize.conf [role_<role_name>]
importRoles = user
srchDiskQuota = 100
srchIndexesAllowed = main
srchIndexesDefault = main
srchMaxTime = 1800
srchTimeWin = 10368000 srchTimeWin description: srchTimeWin = <integer>
* Maximum time range, in seconds, of a search.
* The Splunk software applies this search time range limit backwards from the
latest time specified for a search.
* If a user has multiple roles with distinct search time range limits, or has
roles that inherit from roles with distinct search time range limits, the
Splunk software applies the least restrictive search time range limits to
* For example, if user X has role A (srchTimeWin = 30s), role B (srchTimeWin
= 60s), and role C (srchTimeWin = 3600s), user X gets a maximum search time
range of 1 hour.
* When set to '-1', the role does not have a search time range limit. This
value can be overidden by the maximum search time range value of an inherited
* When set to '0' (infinite), the role does not have a search time range limit.
This value cannot be overidden by the maximum search time range value of an
* This setting does not apply to real-time searches.
* Default: -1 Reference: https://docs.splunk.com/Documentation/Splunk/latest/Admin/authorizeconf
... View more