Hi,
I sugest to use srchTimeWin parameter of authorize.conf which defines per role the maximum time span in seconds allowed for a search executed by a user in this role.
Source : https://docs.splunk.com/Documentation/Splunk/7.2.3/Security/Addandeditroleswithauthorizeconf
Christian
... View more
Hi,
I would say to use srchTimeWin parameter of authorize.conf if your request is for Splunk Enterprise
See :https://docs.splunk.com/Documentation/Splunk/7.2.3/Security/Addandeditroleswithauthorizeconf
The answer of @pkarpushin seems to be for ITSI.
... View more