I have found that the capability 'edit_scripted' is required in order to use "runshellscript"
This apparently is undocumented.
What else can I do with "edit_scripted"???
perhaps some capabilities are super-sets of edit_scripted? ie: if you have capability "X" then you don't need "edit_scripted".
I really wish someone who has access to the splunk code would weigh in here!
According to the authorize.conf docs, edit_scripted
lets you edit scripted inputs.
runshellscript
as a search command is not supported: http://docs.splunk.com/Documentation/Splunk/6.3.0/SearchReference/Runshellscript
I constructed a role with very few capabilities and could not use runshellscript nor have one of my alerts call a shell script. I added 'edit_scripted' to my pared down role and voila everything started working.
Therefore, I'm guessing that it is a needed capability.
I would love it if someone from Splunk could actually consult the code to answer this question.
Hi... I am not sure if this is true for all. I have been running scripts successfully on v6.2.4 with a generic role without "edit_scripted" capability.