And you would need to make sure that the role could only use the dashboard(s) that you built. One way to do this is to also create an App and add the dashboard(s) to it. Then set the user role to start in that App - and set all the permissions for all the Apps so that the user can't access anything but the App you created.
... View more
I think the problem may be this (I am doing some guessing here):
You are monitoring a directory and have Splunk doing automatic sourcetyping - which is appropriate. I expect that nothing has overriden this setting. When Splunk can't figure out a sourcetype for an input because there is insufficient data, it defaults the sourcetype to "somename-too_small".
Your configuration specifies that all data of this sourcetype is to be ignored.
But there isn't really any data that has been assigned this sourcetype - it's an artifact of Splunk's parsing. I think it should work anyway, but it doesn't seem to. I don't think you will find any help with btool because of this.
BUT - I think there are better ways to solve this problem. Assigning data to the null queue is relatively inefficient and should be a last resort anyway. Here are some other ideas
1 - If you don't want any data from this file, blacklist it in the inputs. Find the input that is collecting the directory where this file lives, and put in a blacklist entry for the name of the file. More info about blacklisting an input
2 - If you want the data, but just don't want it to show up as "somename-too_small", override the sourcetype name in props.conf More info on overriding the automatic sourcetype
... View more