- Splunk Answers
- :
- Splunk Administration
- :
- Security
- :
- Restrict User Search Period
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, I wonder whether someone could help me please.
I know that I can restrict a users 'search period' by changing the 'Restrict search time range' in the role settings, in my case 90 days.
But I just wonder whether someone may be able to confirm for please whether the 90 days is 90 days prior to the date the search is performed i.e if the search was performed today it would be 90 prior which is 17 November 2015, or whether this restricts the user to extracting the data in 90 days chunks e.g. 1 November 2015 to 1 February 2016.
Many thanks and kind regards
Chris
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Chris,
As mentioned in DOC Restrict search time range: specify over how large of a window of time this role can search. It sets a maximum time window (in seconds) for searches for this role. For example, set this to '60' to restrict this role's searches to 1 minute before the most recent time specified in the search. So it depends on the recent time user mentions subtracted by 90 days. So its basically making sure that user is not searching a large time range which might cause performance issues,
latest=now (Feb 15) - User will be able to search data till 17 Nov
latest=1st Feb - User will be able to search data till 02 Nov
Hope that clairifes
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Chris,
As mentioned in DOC Restrict search time range: specify over how large of a window of time this role can search. It sets a maximum time window (in seconds) for searches for this role. For example, set this to '60' to restrict this role's searches to 1 minute before the most recent time specified in the search. So it depends on the recent time user mentions subtracted by 90 days. So its basically making sure that user is not searching a large time range which might cause performance issues,
latest=now (Feb 15) - User will be able to search data till 17 Nov
latest=1st Feb - User will be able to search data till 02 Nov
Hope that clairifes
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @renjith.nair, thank you very much for coming back to me with this and forgive the dumb question, I blame it on an early start, so basically a user via a timepicker can select any date and always only be able to go back 90 days?
Many thanks and kind regards
Chris
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Chris, the user can select any timerange but the events will be picked only from -90th day for normal searches like index=*.
To validate this,
- Create a role with this restriction
- Create a user and assign to this role
- Select time range to last 6 months
- Run the search
index=*|stats earliest(_time) as _time
You will be able to see the earliest time as 17 Nov (if you haven't mentioned latest time and defaults to now)
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, right ok, I understand now.
Many thanks for the confirmation.
Kind Regards
Chris
Wondering How to Build Resiliency in the Cloud?
Updated Data Management and AWS GDI Inventory in Splunk Observability
Introducing the Splunk Community Dashboard Challenge!
