Yes, I know, but say someone indeed does run the delete command on all data, it could still create some a fair amount of downtime before the Splunk admins are able to figure out what's wrong and restore all the data. If somebody deletes data say before a weekend or a holiday, the downtime would be even greater. Also, I'm aware that normally the admin rights are needed to access the delete command, but in my Splunk environment the delete command is basically never needed, so it adds no benefit, but adds a risk. I'm guessing this is the case for a lot of other customers as well. Thus, removing the option completely from the search head would be the best and most secure solution.
... View more