I want to be able to prevent some users from using the collect command. How to do that? Is there a capability that controls whether or not a user has permission to run collect?
This is not currently possible. See: http://answers.splunk.com/answers/128764/restrict-a-users-ability-to-write-to-indexes.html
View solution in original post
ok, this is an old topic and it seems at that time of 2015 this feature was not there..
and now, authorize.conf gives a way to grant/remove this collect command from a user...
* Lets a user run the collect command.
(at this time of this writing the current splunk version is 7.1.2)
Verified that the collect command is connected to the authorize.conf permission [capability::indexes_edit]