Deployment Architecture

How to overwrite a default entry in commands.conf from another app

hortonew
Builder

I'd like to push an app that overwrites which script sendemail uses. For instance I pushed:

email_app

bin/sendemail2.py

local/commands.conf
filename = sendemail2.py

metadata/default.meta
[]
access = read : [ * ], write : [ admin, power ]
export = system

Running btool shows that the new config is pulled in, and I've restarted splunk for good measure, however the old sendemail script is still being used. Is it possible to do it this way? It works if I modify etc/apps/search/local/commands.conf, but I'd rather push an app to do it.

0 Karma
1 Solution

woodcock
Esteemed Legend

The best way to override a global default Splunk setting is to place a "null" setting clone of it in the associated local directory. So if you clone this out of /opt/splunk/etc/apps/search/default/commands.conf and you add the last line:

[sendemail]
filename = sendemail.py
streaming = false
run_in_preview = false
passauth = true
required_fields =
changes_colorder = false
supports_rawargs = true
undo_scheduler_escaping = true
disabled=true

The disabled=true and putting this in /opt/splunk/etc/apps/search/local/commands.conf ( local instead of default ) should nullify the original setting completely and then default to your app.

View solution in original post

0 Karma

woodcock
Esteemed Legend

The best way to override a global default Splunk setting is to place a "null" setting clone of it in the associated local directory. So if you clone this out of /opt/splunk/etc/apps/search/default/commands.conf and you add the last line:

[sendemail]
filename = sendemail.py
streaming = false
run_in_preview = false
passauth = true
required_fields =
changes_colorder = false
supports_rawargs = true
undo_scheduler_escaping = true
disabled=true

The disabled=true and putting this in /opt/splunk/etc/apps/search/local/commands.conf ( local instead of default ) should nullify the original setting completely and then default to your app.

0 Karma

hortonew
Builder

Tried that, but it seems it's honoring search/local/commands.conf's disabled=true over my app's disabled=false, even though:

splunk cmd btool commands list --debug
/opt/splunk/etc/apps/email_app/local/commands.conf [sendemail]
/opt/splunk/etc/apps/email_app/local/commands.conf changes_colorder = false
/opt/splunk/etc/apps/email_app/local/commands.conf disabled = false
/opt/splunk/etc/apps/email_app/local/commands.conf filename = sendemail2.py
/opt/splunk/etc/apps/email_app/local/commands.conf passauth = true
/opt/splunk/etc/apps/email_app/local/commands.conf required_fields =
/opt/splunk/etc/apps/email_app/local/commands.conf run_in_preview = false
/opt/splunk/etc/apps/email_app/local/commands.conf streaming = false
/opt/splunk/etc/apps/email_app/local/commands.conf supports_rawargs = true
/opt/splunk/etc/apps/email_app/local/commands.conf undo_scheduler_escaping = true

0 Karma

hortonew
Builder

I changed disable=true to false in search's local. Then also had one in my app with disabled=false. Seems to be working now.

somesoni2
Revered Legend

Why don't you just commentout the one which is available by default in the search app etc/apps/search/default/commands.conf? Since you're making your new sendemail as global, you don't need search apps provided sendemail command definitions anyways.

0 Karma

hortonew
Builder

Might get overwritten on upgrade. Would be nice to maintain all custom configurations on deployment server in case servers have to be rebuilt.

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...