Hello Splunk Community,
in order to honour privacy policies we need to limit the searches of most users/roles of an index to events younger than seven days. In cases of an emergency we want to empower an user/role to search without restriction for the full retention period of the index.
Is there any way to implement this without indexing the data twice in seperate indexes?
Thanks in advance for your help!
Regards,
Jens Wunder
Hi Giuseppe,
thanks for the quick reply!
The way I interpret the info about the search time window limit it seems to restrict the relative maximum time range a search can have but not how far a user can go into the past.
The suggested role restriction would affect searches in all indexes. I found a suggestion which kind of goes in the same direction (https://answers.splunk.com/answers/57684/limit-how-far-back-you-can-retrieve-data-regardless-of-time...), but that also comes with severe side effects.
Regards,
Jens
Hi @DATEVeG,
I didn't configured a limit like this, but you should try in two ways:
[Settings -- Roles -- your_role -- Resources -- Role search time window limit] I don't know if it's a limit to the Time Windows ao to the time period to search.
Otherwise you could put a restriction to a role [Settings -- Roles -- your_role -- Resources -- Restrictions -- SPL Search filter] inserting a restriction like index=* earliest=-7d@d
.
Ciao.
Giuseppe