We have different indexes with varied retention and volumes. We would like to be able to restrict some roles to search only some time range (like 6 hours for larger indexes and a few days for some other smaller indexes). We also would like to customize this by the role. Any thoughts / ideas.
thanks
Vidhya
At least on 6.4.2 "restricting to search upto a time" and "restricting search to few index" can be achieved by defining roles and then adding this role to any user. Try below
Settings > Access controls » Roles » Add new
On this "Add New" page go to section: Search restrictions, second option: "Restrict search time range" which defines:
Set a maximum time window (in seconds) for searches for this role. For example, set this to '60' to restrict this role's searches to 1 minute before the most recent time specified in the search. You can also set this to '0' to explicitly make the window infinite, or '-1' to unset the window for this role (can be overridden by imported roles).
Indexes
Restrict this role's searches to the specified index(es). Search results for this role will only show events from these indexes.
Once the role is defined, create a user and add this new role to the user. From here on the user will have access only to the indexes specified and will only be able to search in the time range specified on the role.
At least on 6.4.2 "restricting to search upto a time" and "restricting search to few index" can be achieved by defining roles and then adding this role to any user. Try below
Settings > Access controls » Roles » Add new
On this "Add New" page go to section: Search restrictions, second option: "Restrict search time range" which defines:
Set a maximum time window (in seconds) for searches for this role. For example, set this to '60' to restrict this role's searches to 1 minute before the most recent time specified in the search. You can also set this to '0' to explicitly make the window infinite, or '-1' to unset the window for this role (can be overridden by imported roles).
Indexes
Restrict this role's searches to the specified index(es). Search results for this role will only show events from these indexes.
Once the role is defined, create a user and add this new role to the user. From here on the user will have access only to the indexes specified and will only be able to search in the time range specified on the role.
Good discussion about it at Limit how far back you can retrieve data regardless of timerangepicker selection
I don't think something like this can be achieved in Splunk right now, at least not on per index basis. Best you can do is to update your roles to include a search filter ("Restrict search terms" in Settings->Access control -> Roles -> YourRoleHere) OR srchFilter attribute in authorize.conf) to restrict the time range by specifying the max time-range that you want to allow, e.g. earliest=-6h
. This will cause any search run by the users with that role will have maximum of the time range specified in srchFilter. The problem with approach is that users will only be able to change (reduce the time range, they can never exceed the time range specified in srchFilter) by specifying the timerange within search. The time-range picker will not be honored. So, think about it.