Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Restrict User Search Period

IRHM73
Motivator
‎02-14-2016 11:06 PM

Hi, I wonder whether someone could help me please.

I know that I can restrict a users 'search period' by changing the 'Restrict search time range' in the role settings, in my case 90 days.

But I just wonder whether someone may be able to confirm for please whether the 90 days is 90 days prior to the date the search is performed i.e if the search was performed today it would be 90 prior which is 17 November 2015, or whether this restricts the user to extracting the data in 90 days chunks e.g. 1 November 2015 to 1 February 2016.

Many thanks and kind regards

Chris

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎02-14-2016 11:38 PM

Hello Chris,

As mentioned in DOC Restrict search time range: specify over how large of a window of time this role can search. It sets a maximum time window (in seconds) for searches for this role. For example, set this to '60' to restrict this role's searches to 1 minute before the most recent time specified in the search. So it depends on the recent time user mentions subtracted by 90 days. So its basically making sure that user is not searching a large time range which might cause performance issues,

latest=now (Feb 15) - User will be able to search data till 17 Nov
latest=1st Feb - User will be able to search data till 02 Nov

Hope that clairifes

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎02-14-2016 11:38 PM

Hello Chris,

As mentioned in DOC Restrict search time range: specify over how large of a window of time this role can search. It sets a maximum time window (in seconds) for searches for this role. For example, set this to '60' to restrict this role's searches to 1 minute before the most recent time specified in the search. So it depends on the recent time user mentions subtracted by 90 days. So its basically making sure that user is not searching a large time range which might cause performance issues,

latest=now (Feb 15) - User will be able to search data till 17 Nov
latest=1st Feb - User will be able to search data till 02 Nov

Hope that clairifes

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

IRHM73
Motivator
‎02-14-2016 11:48 PM

Hi @renjith.nair, thank you very much for coming back to me with this and forgive the dumb question, I blame it on an early start, so basically a user via a timepicker can select any date and always only be able to go back 90 days?

Many thanks and kind regards

Chris

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎02-15-2016 12:25 AM

Hello Chris, the user can select any timerange but the events will be picked only from -90th day for normal searches like index=*.

To validate this,

  • Create a role with this restriction
  • Create a user and assign to this role
  • Select time range to last 6 months
  • Run the search index=*|stats earliest(_time) as _time

You will be able to see the earliest time as 17 Nov (if you haven't mentioned latest time and defaults to now)

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

IRHM73
Motivator
‎02-15-2016 12:48 AM

Hi, right ok, I understand now.

Many thanks for the confirmation.

Kind Regards

Chris

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...