I just installed Splunk 6.6.2 free.
Is there a way to modify free user capability, in my situation I would like disable delete capability.
At this moment, I create a new user and i'm able to delete events using CLI, with command:
index= somethingtodelete | delete
Thanks in advance.
Hi there, edit the capabilities of the role related to that user or check if role user ineherits can_delete capability from other role.
If you are using the free Enterprise trial, then check alemarzu's suggestion.
If you are using Splunk Free, then there is no user or role management (see About Splunk Free in the Admin Manual).
The fact that you could create a user account suggests that you are using the 60-day free Enterprise trial, which is what you get when you first download and install Splunk Enterprise.
I didn't create a user, as you said it is the user (no-user) of the Splunk-free version.
I modified the license from trial to free.
In he Admin Manual, about free version, there is not a description of the enabled capabilities.
I expected that even if there is not role management the events access/deletion could be managed.
Quoting from that topic: "All accesses are treated as equivalent to the admin user. There is only one role (admin), and it is not configurable. You cannot add more roles or create user accounts." The admin role has all the capabilities listed here, and you cannot configure or manage them under the free license.
@ChrisG that's not true. According the manual, Admin has not the deletebykeyword capability. In Splunk Free this capability is active.