Users are using outputcsv which generates the output on our filesystem which they cannot access as non-admins. How can we prevent them from using it (other than stating that fact).
It is dangerous since this output is generated in the same location as working files ($SPLUNK_HOME/var/run/...)
outputlookup is allowed so we cannot remove output_file capability.
@thewolverine, You can restrict the users using roles and capabilities from Access controls. The one capability you can remove is "outputfile" : Lets the user create file outputs, including outputcsv (except for dispatch=t mode) and outputlookup.
Above is the definition from Splunk docs.
You can also control the user access from local.meta file. Remove write access to those users for a specific file.
Hope this helps.
Training seems to be your only solution, then.
How exactly do they keep doing "outputcsv"?
Hmm, though now that I've said that, I wonder if there might be a way to disable the command itself? Maybe look into a local commands.conf that ... I'm not sure, redirects "outputcsv" to a broken thing or something?
Interesting idea, let me know if that leads you anywhere or if that looks like it might work, but you end up with further questions.