Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

To restrict searching on indexed data till a predefined timestamp

sajeeshpn
New Member
‎12-03-2018 08:45 AM

Hi,

Is there any configuration option/method in Splunk where we can restrict the searching on the indexed data (all indexes) only till a predefined timestamp. So that all the searches (including dashboards/reports) should be applied only to the data indexed till that predefined time and not afterward.

Hope for an answer soon.

Thanks,
Sajeesh

Tags (1)
0 Karma
Reply

sloshburch
Splunk Employee
Splunk Employee
‎12-10-2018 06:33 AM

Tell us more about the reason? Why is the normal time constraints insufficient?

Meanwhile, these fields might be what you're looking for:

  • _indextime: Similar to _time but relative to when the event was indexed rather than when the event occurred
  • _index_earliest: Specify the earliest _indextime for the time range of your search.
  • _index_latest: Specify the latest _indextime for the time range of your search.

Learn more:

0 Karma
Reply

kmorris_splunk
Splunk Employee
Splunk Employee
‎12-09-2018 08:58 AM

One solution might be to add a calculated field that contains the date that you want it searchable til. Then, in your role definition, create a search restriction, where the current time is less than or equal to that field.

alt text

Preview file
1 KB
0 Karma
Reply

sajeeshpn
New Member
‎12-06-2018 10:25 PM

Anybody knows an answer for this?

Thanks,
Sajeesh

0 Karma
Reply

whrg
Motivator
‎12-07-2018 12:10 AM

This is probably not the answer you were looking for, but you have the option to "Restrict search time range" on a per role basis:
"Set a maximum time window (in seconds) for searches for this role. For example, set this to '60' to restrict this role's searches to 1 minute before the most recent time specified in the search. You can also set this to '0' to explicitly make the window infinite, or '-1' to unset the window for this role (can be overridden by imported roles)."

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...