Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is there a way to pre-set the earliest event of a search for a user?

DATEVeG
Path Finder
‎01-20-2020 06:08 AM

Hello Splunk Community,

in order to honour privacy policies we need to limit the searches of most users/roles of an index to events younger than seven days. In cases of an emergency we want to empower an user/role to search without restriction for the full retention period of the index.
Is there any way to implement this without indexing the data twice in seperate indexes?

Thanks in advance for your help!

Regards,
Jens Wunder

Tags (1)
0 Karma
Reply

DATEVeG
Path Finder
‎01-21-2020 12:29 AM

Hi Giuseppe,
thanks for the quick reply!
The way I interpret the info about the search time window limit it seems to restrict the relative maximum time range a search can have but not how far a user can go into the past.
The suggested role restriction would affect searches in all indexes. I found a suggestion which kind of goes in the same direction (https://answers.splunk.com/answers/57684/limit-how-far-back-you-can-retrieve-data-regardless-of-time...), but that also comes with severe side effects.

Regards,
Jens

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-20-2020 06:30 AM

Hi @DATEVeG,
I didn't configured a limit like this, but you should try in two ways:
[Settings -- Roles -- your_role -- Resources -- Role search time window limit] I don't know if it's a limit to the Time Windows ao to the time period to search.

Otherwise you could put a restriction to a role [Settings -- Roles -- your_role -- Resources -- Restrictions -- SPL Search filter] inserting a restriction like index=* earliest=-7d@d.

Ciao.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...