Removing the 'schedule_rtsearch' capability from the default user role


I have a custom authorize.conf that was intended to disable the schedule_rtsearch capability for all users:

schedule_rtsearch =

This config is generating these errors on the peers in the SH cluster:

07-29-2019 10:23:32.159 -0500 WARN AuthorizationManager - Capability 'schedule_rtsearch' had value '' - only 'enabled' is valid. Ignoring...

In the [role_] section of the the authorize.conf documentation for 7.1.7, it says all capabilities are disabled by default:

Note that 'enabled' is the only accepted value here, as capabilities are disabled by default.

But in the [default] stanza of the ~/etc/system/default/authorize.conf file, it's enabled:

splunk@server:[~]> splunk version;splunk btool authorize list default --debug | grep schedule_rtsearch
Splunk 7.1.7 (build 39ea4c097c30)
/opt/splunk/etc/system/default/authorize.conf schedule_rtsearch = enabled

I'm having some difficulty understanding the disconnect. How can I remove this capability from the default user role when authorize.conf does not accept a value other than "enabled"?

0 Karma

Splunk Employee
Splunk Employee

Hi scottprigge,

Did you try not setting the value at all, or removing the value from the $SPLUNK_HOME/etc/system/default/authorize.conf file?

Capabilities are disabled by default, so if you list it in authorize.conf, it expects for you to use enabled as the value. I think the disconnect is that you believe that you have to list the setting even if you want to disable it, that's not the case (since capabilities are disabled by default.)

Give it a try. I'll reply to your feedback email and we can continue the discussion there, or we can also do it here.

0 Karma


Hi scottprigge,

Please provide feedback on the docs page for authorize.conf, the docs team are awesome in checking such findings 😉
It might be just wrong in the docs, or you found a bug.

And yes, the default is in Splunk 7.1.4 as well enabled. But you should be able to disable it by actually using

schedule_rtsearch = disabled

instead of just an empty value for the option.

Hope this helps ...

cheers, MuS


Do not modify default folder instead use local 🙂

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...