Hello, I want to limit the access for some external users to all eventtypes.
There are 3 system-default-eventtypes remaining: "internal_search_terms", "splunkd-access", "splunkd-log".
The privileges of these 3 seems to be not changeable.
What are the purpose of these?
And how could I block them for specific users?
Seems that those are eventtypes that only apply to Splunk's internal events. So if the users you want to restrict don't have the access to the internal indexes (and they probably shouldn't), they won't be able to use the eventtypes, even though they can see the definitions.