For anyone coming here years later - Real Time Searches
The gist is this:
It is almost never ideal to allow every user to run realtime searches. There should be very specific use cases, i.e., following someone through a honeynet, looking at realtime high-risk activity , etc. At all other times, and ideally, for all other users, RT Search capability should be limited.
The link below shows how and what to do:
https://docs.splunk.com/Documentation/Splunk/7.2.6/Search/Restrictrealtimesearch
... View more