i have created a customized role simple_user and assigned users to. i also wanted to disable "all time" option from search bar for the user in simple_user role.
can any one help me how to configure it?
Not exactly what you're after but you can set the maximum time window for a search using srchTimeWin = <time_in_seconds> in authorize.conf.
srchTimeWin = <time_in_seconds>
For example, if you didn't want anyone with the simple_user role to be able to search a timeframe over a year then you would add the following:
srchTimeWin = 31536000
Note that the stanza title is in the format role_<role_name>.
Hope this helps.
View solution in original post
Thanks your answer helped me.
but i don't want to show the option of All Time for users except ADMIN user. is it possible??
Unfortunately I am not aware of an configuration in Splunk that allows you to do that.
You can remove it from dashboards, but not from searches / reports.