Hi Experts,
I create one app for monitoring purpose, in this app I am showing stats and feature of different application.
For search purpose I also added "search" in the navigation menu.
For that app I created different user for watch and monitor. But in the search menu the user have options to save the search as a Alert and forward the events to the mail box using Send Mail in alert.
How I restrict user to create new Alerts, what is the right way to create role and capabilities with different functionality?
Thanks
schedule_search
is the capability which enables the user to save search as alert.
schedule_search
Lets the user schedule saved searches, create and update alerts, and review triggered alert information.
So if you do not want to give schedule_search permissions, create a separate role, add only the required permissions and assign the role to the user.
Refer Table of Splunk platform capabilities for more details about splunk roles & capabilities