Splunk Search

Is there a way to pre-set the earliest event of a search for a user?

DATEVeG
Path Finder

Hello Splunk Community,

in order to honour privacy policies we need to limit the searches of most users/roles of an index to events younger than seven days. In cases of an emergency we want to empower an user/role to search without restriction for the full retention period of the index.
Is there any way to implement this without indexing the data twice in seperate indexes?

Thanks in advance for your help!

Regards,
Jens Wunder

Tags (1)
0 Karma

DATEVeG
Path Finder

Hi Giuseppe,
thanks for the quick reply!
The way I interpret the info about the search time window limit it seems to restrict the relative maximum time range a search can have but not how far a user can go into the past.
The suggested role restriction would affect searches in all indexes. I found a suggestion which kind of goes in the same direction (https://answers.splunk.com/answers/57684/limit-how-far-back-you-can-retrieve-data-regardless-of-time...), but that also comes with severe side effects.

Regards,
Jens

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @DATEVeG,
I didn't configured a limit like this, but you should try in two ways:
[Settings -- Roles -- your_role -- Resources -- Role search time window limit] I don't know if it's a limit to the Time Windows ao to the time period to search.

Otherwise you could put a restriction to a role [Settings -- Roles -- your_role -- Resources -- Restrictions -- SPL Search filter] inserting a restriction like index=* earliest=-7d@d.

Ciao.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...