Splunk Search

Limitation to search query ?

rakesh_498115
Motivator

Hi,

I have written a search query and saved it as a Saved Search.Now can i restrict this SavedSearch to be executed only once perday..i.e When i click on the savedsearch it should run and fetch the desired results for me only once per day and so that if i try to excute the same saved search again , it should throw error sayin "Search OPeration not allowed " like this..

Is this possible in splunk ?? or can we have any idea of this sort applicable to splunk ?? if so can you please provide me a solution...

thanx.

Tags (2)
0 Karma
1 Solution

lguinn2
Legend

You can schedule a search to run once a day. You can set permissions on the search so that only a limited set of people have access to it (even read access will allow a person to run the search).

You can also find the search in savedsearches.conf and add this to the stanza:

is_visible = false

Now the search will not show up in any menu, even for roles that have read permission. However, the search will still be visible in the Manager -> Searches and Reports for those that have read permissions.

AFAIK, this is the best that you can do to prevent the search from being run. There is no setting that prevents the search from being run more than once a day.

View solution in original post

lguinn2
Legend

You can schedule a search to run once a day. You can set permissions on the search so that only a limited set of people have access to it (even read access will allow a person to run the search).

You can also find the search in savedsearches.conf and add this to the stanza:

is_visible = false

Now the search will not show up in any menu, even for roles that have read permission. However, the search will still be visible in the Manager -> Searches and Reports for those that have read permissions.

AFAIK, this is the best that you can do to prevent the search from being run. There is no setting that prevents the search from being run more than once a day.

rakesh_498115
Motivator

thnx for the info..:)

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...