topic Re: Deactivate SPL safeguards on Splunk Enterprise in Splunk Enterprise

How to deactivate SPL safeguards on Splunk Enterprise?

jotne — Thu, 04 May 2023 13:41:42 GMT

I have upgraded my Splunk Enterprise to 9.0 and we now get warning like this:

Some visualizations have not loaded since we detected usage of risky commands in the query.

This is OK, and I now why and this dashboard is for admin use only. So I like to Deactivate the warning for this dashboard only. That way I will get warning if there are other dashboard with dangerous commands. But if I read the documentation, it seems that I can only disable all warning or warning for some commands. I would like to disable warning pr dashboard. Anyone has a workaround?

https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/SPLsafeguards?ref=hk

Re: Deactivate SPL safeguards on Splunk Enterprise

Azeemering — Mon, 27 Jun 2022 11:37:11 GMT

Hi,

I think it is possible to disable / enable these warning per app level.

So if you add a web.conf in your app
$Splunk_home\Splunk\etc\apps\yourapp\local\web.conf (where your admin dashboard resides)

with

enable_risky_command_check_dashboard=false

This should disbale the warning there.

Re: Deactivate SPL safeguards on Splunk Enterprise

jotne — Tue, 28 Jun 2022 06:13:22 GMT

It did not work.

When I did make a web.conf file like this in one app, it disabled the warning in all apps.

[settings] enable_risky_command_check_dashboard = false

Re: Deactivate SPL safeguards on Splunk Enterprise

seemanshu — Thu, 04 May 2023 07:03:54 GMT

Hi @jotne ,

The following setting in the web.conf will help in specifying the dashboard name,

[settings] enable_risky_command_check_dashboard = false splunk_dashboard_app_name = <string>

Here, splunk_dashboard_app_name will help in disabling the warning to the required app only.

Kindly upvote, if found helpful.