I want to be able to prevent some users from using the collect
command. How to do that? Is there a capability that controls whether or not a user has permission to run collect
?
This is not currently possible. See: http://answers.splunk.com/answers/128764/restrict-a-users-ability-to-write-to-indexes.html
ok, this is an old topic and it seems at that time of 2015 this feature was not there..
and now, authorize.conf gives a way to grant/remove this collect command from a user...
[capability::run_collect]
* Lets a user run the collect command.
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Authorizeconf
(at this time of this writing the current splunk version is 7.1.2)
Verified that the collect command is connected to the authorize.conf permission [capability::indexes_edit]
This is not currently possible. See: http://answers.splunk.com/answers/128764/restrict-a-users-ability-to-write-to-indexes.html