Any ideas on how to disable outputcsv for users?


Users are using outputcsv which generates the output on our filesystem which they cannot access as non-admins. How can we prevent them from using it (other than stating that fact).

It is dangerous since this output is generated in the same location as working files ($SPLUNK_HOME/var/run/...)


outputlookup is allowed so we cannot remove output_file capability.

0 Karma

Path Finder

@the_wolverine, You can restrict the users using roles and capabilities from Access controls. The one capability you can remove is "output_file" : Lets the user create file outputs, including outputcsv (except for dispatch=t mode) and outputlookup.

Above is the definition from Splunk docs.

You can also control the user access from local.meta file. Remove write access to those users for a specific file.

Hope this helps.


0 Karma


Yes, however our users MUST be allowed to outputlookup. So cannot remove this capability.

0 Karma


Training seems to be your only solution, then.

How exactly do they keep doing "outputcsv"?

Hmm, though now that I've said that, I wonder if there might be a way to disable the command itself? Maybe look into a local commands.conf that ... I'm not sure, redirects "outputcsv" to a broken thing or something?

Interesting idea, let me know if that leads you anywhere or if that looks like it might work, but you end up with further questions.

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!


Or Learn More in Our Blog >>