Splunk Free has no authentication or access control. Even if you could disable it via a role permissions update, there's nothing stopping someone from just re-enabling it. All GUI users of Splunk Free have effective admin rights.
Thanks for confirming what I was finding. I knew there was no RBAC system, but was hoping I could simply remove that capability via a .conf file or something.
It seems like you should be able to stop Splunk, edit a conf file, and enable/disable the delete function, then restart Splunk. This would allow you to do occasional cleanup activities after some event mucks everything up. The way we use Splunk it would be crazy to pay for a license, but it seems you should have the ability to stop anyone from using delete. Of course they have every right to make their money, but $2k a year for something that sits collecting forensic data "in case" would be pretty hard to justify to the bean counters. So I agree with mrjester. I was hoping that as well. Maybe the better question here would be, how hard is it to reclaim what someone deleted?