Hi,
Is there any configuration option/method in Splunk where we can restrict the searching on the indexed data (all indexes) only till a predefined timestamp. So that all the searches (including dashboards/reports) should be applied only to the data indexed till that predefined time and not afterward.
Hope for an answer soon.
Thanks,
Sajeesh
Tell us more about the reason? Why is the normal time constraints insufficient?
Meanwhile, these fields might be what you're looking for:
_indextime
: Similar to _time
but relative to when the event was indexed rather than when the event occurred_index_earliest
: Specify the earliest _indextime for the time range of your search._index_latest
: Specify the latest _indextime for the time range of your search.Learn more:
Anybody knows an answer for this?
Thanks,
Sajeesh
This is probably not the answer you were looking for, but you have the option to "Restrict search time range" on a per role basis:
"Set a maximum time window (in seconds) for searches for this role. For example, set this to '60' to restrict this role's searches to 1 minute before the most recent time specified in the search. You can also set this to '0' to explicitly make the window infinite, or '-1' to unset the window for this role (can be overridden by imported roles)."