topic Re: The is_risky parameter not working as expected in Splunk Enterprise

The is_risky parameter not working as expected

BradOH — Thu, 10 Jul 2025 16:26:26 GMT

We're trying to suppress the warnings for reports that use dbxlookup command to enrich data in the report. We have a pretty simple setup with one search head and indexer. We created a commands.conf file under the $SPLUNK_HOME/etc/system/local/ folder with the following contents. There are no commands.conf files anywhere else on the system except under the defaults folders. After restarting, nothing changed.

# Disable dbxlookup security warnings in reports

[dbxlookup]

is_risky = false

Thinking that perhaps this needed to be added under our app local folder, we moved the file there and restarted. Once done, we encountered java and python errors running any reports with dbxlookups.

What are we missing? Thanks!

Re: The is_risky parameter not working as expected

PrewinThomas — Fri, 11 Jul 2025 06:45:07 GMT

@BradOH

Can you place/append your commands.conf file in the app’s default directory, not local, and not in system/local.

Now restart and check if it's taking or not.

Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

Re: The is_risky parameter not working as expected

PickleRick — Fri, 11 Jul 2025 07:04:01 GMT

Don't touch app's default directory! It's not supposed to be edited and will get overwritten after next update.

Re: The is_risky parameter not working as expected

livehybrid — Mon, 14 Jul 2025 09:07:57 GMT

Hi @BradOH

Please could you check the output of btool, does this list the is_risky=false?

$SPLUNK_HOME/bin/splunk cmd btool commands list --debug dbxlookup

As @PickleRick said - Make sure not to modify the default/commands.conf in the app as this could get overwritten, although would have thought it would work if set in local/commands.conf - Do you have any specific errors you saw when you did this?

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Re: The is_risky parameter not working as expected

BradOH — Tue, 15 Jul 2025 13:36:53 GMT

Hey, thanks for the suggestion, and based on the debug output, it appears Splunk is "seeing" the configuration (see below), why it's not changing anything is the issue.

C:\Program Files\Splunk\etc\system\local\commands.conf is_risky = false

For the moment, we added the following to web.conf to suppress the warnings, but it's not an optimal situation. We'd definitely prefer to flag individual commands based on our usage.

enable_risky_command_check = false
enable_risky_command_check_dashboard = false

Any thoughts why Splunk would be ignoring the configuration?

Re: The is_risky parameter not working as expected

BradOH — Thu, 24 Jul 2025 17:25:57 GMT

Hey, I never heard back from anyone since posting the output of btool. Any suggestions why this setting is not working as documented in the Splunk documentation?

Re: The is_risky parameter not working as expected

PickleRick — Thu, 24 Jul 2025 17:52:37 GMT

One more thing I'd check would be to call the btool with a user and app context. It seems a bit illogical to treat the command differently per this context additionally to giving a user capability to run such command but it's worth checking.

If it still shows that the setting should effectively be false, it might be worth creating a support case.

Re: The is_risky parameter not working as expected

BradOH — Wed, 30 Jul 2025 19:15:31 GMT

Maybe I'm a little dense, but I tried using the --app context and the report was blank, no results. For example I tried both, and the command returned no results:

splunk cmd btool commands list --debug dbxlookup --app=search

splunk cmd btool --app=dbconnect commands list --debug dbxlookup

What am I missing?

Re: The is_risky parameter not working as expected

PickleRick — Thu, 31 Jul 2025 13:41:42 GMT

I'm not sure but you might need to have to use the --user option as well. In my tests I don't see any output if I give --app but not give --user

Re: The is_risky parameter not working as expected

BradOH — Thu, 14 Aug 2025 20:35:31 GMT

Sorry it took me so long to follow-up, but that was the ticket. Specifying both the App and User contexts identified the source of the issue. It appears the "is_risky" setting is default "true" in the DB_Connect commands.conf. Adding the configuration locally under splunk_app_db_connect\local seems to have fixed it.

That said, I find it strange setting this globally under the system config didn't override this. Guess this is due to it being a default package setting.

Thanks!

Re: The is_risky parameter not working as expected

richgalloway — Thu, 14 Aug 2025 21:14:16 GMT

If your problem is resolved, then please click the "Accept as Solution" button to help future readers.

Re: The is_risky parameter not working as expected

PickleRick — Fri, 15 Aug 2025 06:02:00 GMT

That sounds strange. Settings from system/local are supposed to have the highest priority (except for peer-apps in case if an indexer cluster).

btool check doesn't report any problems?