How to disable realtime searches for the power use...

skoelpin · ‎10-03-2017

I'm wanting to disable real-time searches for the roles 'user' and power-user'. For the user role, I removed most of the capabilities including rtsearch. When I login as a local user account, I do not see the real-time search functionality available which I expect. When I do the same thing for the power-user role, the user still has the real-time functionality.

Here's the additional capabilities the power-user has that the regular user does not have

edit_sourcetypes
embed_report
list_settings
schedule_search
search_process_config_refresh

gjanders · ‎10-04-2017

Perhaps run:

splunk btool props list --debug

Confirm the rtsearch does not have the = enabled flag on it, if it does try adding this to the relevant section of your authorize.conf:

rtsearch =
schedule_rtsearch =

Also note that if you have used something like admin_all_objects = enabled this will override the above permissions and allow the scheduling of real time searches even if rtsearch = (blank).

Note that I have not written rtsearch = disabled as the authorize.conf documentation states:

<capability> = <enabled>
* A capability that is enabled for this role.
* You can list many of these.
* Note that 'enabled' is the only accepted value here, as capabilities are
  disabled by default.

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud

somesoni2 · ‎10-03-2017

Did you check via btool what are the effective capabilities for the power user role? Removing rtsearch should've been sufficient (https://docs.splunk.com/Documentation/SplunkCloud/6.6.1/Search/Restrictrealtimesearch#Disable_real-t...)

How to disable realtime searches for the power user role?

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk