Hi Everyone...I want to put restrictions on users search as presently users can search for as long as they like. This could result in users executing searches for many hours.
I tried to change this setting in Roles area but it is not working even after starting splunk.
Restrict Search time range
Set a maximum time window (in seconds) for searches for this role. For example, set this to '60' to restrict this role's searches to 1 minute before the most recent time specified in the search. You can also set this to '0' to explicitly make the window infinite, or '-1' to unset the window for this role (can be overridden by imported roles).
I put 30 that means 30 sec and it is not working. Users can search beyond 30 sec. Can someone help ?
Hello @ramprakash
I have tried this setting and it working perfectly. are you inheriting any role like user, power as these role will override this setting as mentioned above.
create a role and just add search capability and Restrict Search time range
and try.
Also be aware of an entirely new feature in Splunk v7.2 called Workload Management
:
https://docs.splunk.com/Documentation/Splunk/7.2.3/Workloads/Aboutworkloadmanagement
Okay my splunk version is 6.6.1
Hello @ramprakash
I have tried this setting and it working perfectly. are you inheriting any role like user, power as these role will override this setting as mentioned above.
create a role and just add search capability and Restrict Search time range
and try.
Yes you are correct, i am inheriting roles.
Could you please suggest me if i use 1800 in this field for all the roles. I don`t want any user to search beyond 30 min.
@ramprakash
yes you can I have tried till 600 that was working good.
@vishaltaneja07011993 ..I created separate user to test the functionality but it is not working.
Problem is if i query for logs between 25 and 28 Jan. I am only getting results of 28 Jan with these settings. I don`t know why this is not reflecting correctly.
@ramprakash
What is the value you have mentioned in Restrict Search time range range
?
1800......