Removing the 'schedule_rtsearch' capability from the default user role


I have a custom authorize.conf that was intended to disable the schedule_rtsearch capability for all users:

schedule_rtsearch =

This config is generating these errors on the peers in the SH cluster:

07-29-2019 10:23:32.159 -0500 WARN AuthorizationManager - Capability 'schedule_rtsearch' had value '' - only 'enabled' is valid. Ignoring...

In the [role_] section of the the authorize.conf documentation for 7.1.7, it says all capabilities are disabled by default:

Note that 'enabled' is the only accepted value here, as capabilities are disabled by default.

But in the [default] stanza of the ~/etc/system/default/authorize.conf file, it's enabled:

splunk@server:[~]> splunk version;splunk btool authorize list default --debug | grep schedule_rtsearch
Splunk 7.1.7 (build 39ea4c097c30)
/opt/splunk/etc/system/default/authorize.conf schedule_rtsearch = enabled

I'm having some difficulty understanding the disconnect. How can I remove this capability from the default user role when authorize.conf does not accept a value other than "enabled"?

0 Karma

Splunk Employee
Splunk Employee

Hi scottprigge,

Did you try not setting the value at all, or removing the value from the $SPLUNK_HOME/etc/system/default/authorize.conf file?

Capabilities are disabled by default, so if you list it in authorize.conf, it expects for you to use enabled as the value. I think the disconnect is that you believe that you have to list the setting even if you want to disable it, that's not the case (since capabilities are disabled by default.)

Give it a try. I'll reply to your feedback email and we can continue the discussion there, or we can also do it here.

0 Karma


Hi scottprigge,

Please provide feedback on the docs page for authorize.conf, the docs team are awesome in checking such findings 😉
It might be just wrong in the docs, or you found a bug.

And yes, the default is in Splunk 7.1.4 as well enabled. But you should be able to disable it by actually using

schedule_rtsearch = disabled

instead of just an empty value for the option.

Hope this helps ...

cheers, MuS


Do not modify default folder instead use local 🙂

0 Karma
Get Updates on the Splunk Community!

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

Observability Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestSplunk APM's New Tag Filter ExperienceSplunk APM has updated ...