Removing the 'schedule_rtsearch' capability from the default user role


I have a custom authorize.conf that was intended to disable the schedule_rtsearch capability for all users:

schedule_rtsearch =

This config is generating these errors on the peers in the SH cluster:

07-29-2019 10:23:32.159 -0500 WARN AuthorizationManager - Capability 'schedule_rtsearch' had value '' - only 'enabled' is valid. Ignoring...

In the [role_] section of the the authorize.conf documentation for 7.1.7, it says all capabilities are disabled by default:

Note that 'enabled' is the only accepted value here, as capabilities are disabled by default.

But in the [default] stanza of the ~/etc/system/default/authorize.conf file, it's enabled:

splunk@server:[~]> splunk version;splunk btool authorize list default --debug | grep schedule_rtsearch
Splunk 7.1.7 (build 39ea4c097c30)
/opt/splunk/etc/system/default/authorize.conf schedule_rtsearch = enabled

I'm having some difficulty understanding the disconnect. How can I remove this capability from the default user role when authorize.conf does not accept a value other than "enabled"?

0 Karma

Splunk Employee
Splunk Employee

Hi scottprigge,

Did you try not setting the value at all, or removing the value from the $SPLUNK_HOME/etc/system/default/authorize.conf file?

Capabilities are disabled by default, so if you list it in authorize.conf, it expects for you to use enabled as the value. I think the disconnect is that you believe that you have to list the setting even if you want to disable it, that's not the case (since capabilities are disabled by default.)

Give it a try. I'll reply to your feedback email and we can continue the discussion there, or we can also do it here.

0 Karma


Hi scottprigge,

Please provide feedback on the docs page for authorize.conf, the docs team are awesome in checking such findings 😉
It might be just wrong in the docs, or you found a bug.

And yes, the default is in Splunk 7.1.4 as well enabled. But you should be able to disable it by actually using

schedule_rtsearch = disabled

instead of just an empty value for the option.

Hope this helps ...

cheers, MuS


Do not modify default folder instead use local 🙂

* If this helps, please upvote or accept solution if it solved *
0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...