Splunk Search

Restrict Time Range by User Role and index / SourceType

VidhyaR
New Member

We have different indexes with varied retention and volumes. We would like to be able to restrict some roles to search only some time range (like 6 hours for larger indexes and a few days for some other smaller indexes). We also would like to customize this by the role. Any thoughts / ideas.

thanks
Vidhya

Tags (1)
0 Karma
1 Solution

gokadroid
Motivator

At least on 6.4.2 "restricting to search upto a time" and "restricting search to few index" can be achieved by defining roles and then adding this role to any user. Try below

Settings > Access controls » Roles » Add new

On this "Add New" page go to section: Search restrictions, second option: "Restrict search time range" which defines:


Set a maximum time window (in seconds) for searches for this role. For example, set this to '60' to restrict this role's searches to 1 minute before the most recent time specified in the search. You can also set this to '0' to explicitly make the window infinite, or '-1' to unset the window for this role (can be overridden by imported roles).

On the same add new role page go right to bottom to find "Indexes" section to restrict a role from viewing only few indexes.

Indexes
Restrict this role's searches to the specified index(es). Search results for this role will only show events from these indexes.

Once the role is defined, create a user and add this new role to the user. From here on the user will have access only to the indexes specified and will only be able to search in the time range specified on the role.

View solution in original post

gokadroid
Motivator

At least on 6.4.2 "restricting to search upto a time" and "restricting search to few index" can be achieved by defining roles and then adding this role to any user. Try below

Settings > Access controls » Roles » Add new

On this "Add New" page go to section: Search restrictions, second option: "Restrict search time range" which defines:


Set a maximum time window (in seconds) for searches for this role. For example, set this to '60' to restrict this role's searches to 1 minute before the most recent time specified in the search. You can also set this to '0' to explicitly make the window infinite, or '-1' to unset the window for this role (can be overridden by imported roles).

On the same add new role page go right to bottom to find "Indexes" section to restrict a role from viewing only few indexes.

Indexes
Restrict this role's searches to the specified index(es). Search results for this role will only show events from these indexes.

Once the role is defined, create a user and add this new role to the user. From here on the user will have access only to the indexes specified and will only be able to search in the time range specified on the role.

ddrillic
Ultra Champion
0 Karma

somesoni2
SplunkTrust
SplunkTrust

I don't think something like this can be achieved in Splunk right now, at least not on per index basis. Best you can do is to update your roles to include a search filter ("Restrict search terms" in Settings->Access control -> Roles -> YourRoleHere) OR srchFilter attribute in authorize.conf) to restrict the time range by specifying the max time-range that you want to allow, e.g. earliest=-6h . This will cause any search run by the users with that role will have maximum of the time range specified in srchFilter. The problem with approach is that users will only be able to change (reduce the time range, they can never exceed the time range specified in srchFilter) by specifying the timerange within search. The time-range picker will not be honored. So, think about it.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...