We have a situation where we need to restrict users to be able to search during a specific period of time. Removing search=enabled for a particular role in authorize.conf is not working. Is there a way we can achieve this for a role?
Associated with the User Role, you could add a "Restrict search terms" filter.
If for a very specific period in time you could add, for example:
(_time>1417805142.703 AND _time<1417805242.703)
Or if you want to prevent people searching data between 18h00 and 19h00 you could add the filter:
date_hour!=18
You want user to able to log in but not able to perform search on specific period like 6:00 PM to 6:00 AM?
@somesoni2 Right but the timings are not fixed, it's when we know that there is going to be a users storm logging in and issuing searches to solve a very high severity issue happening in the organization, it's at that point of time we want to restrict searching only for a critical team/role to save Splunk system resources from taking a toss..
I don't believe there is a way to restrict user search access based on time. You could certainly remove the indexes that are searchable from a role to avoid users searching on specific/all data during a specific period. That would require a restart of Splunk of course.