Deployment Architecture

How to overwrite a default entry in commands.conf from another app

hortonew
Builder

I'd like to push an app that overwrites which script sendemail uses. For instance I pushed:

email_app

bin/sendemail2.py

local/commands.conf
filename = sendemail2.py

metadata/default.meta
[]
access = read : [ * ], write : [ admin, power ]
export = system

Running btool shows that the new config is pulled in, and I've restarted splunk for good measure, however the old sendemail script is still being used. Is it possible to do it this way? It works if I modify etc/apps/search/local/commands.conf, but I'd rather push an app to do it.

0 Karma
1 Solution

woodcock
Esteemed Legend

The best way to override a global default Splunk setting is to place a "null" setting clone of it in the associated local directory. So if you clone this out of /opt/splunk/etc/apps/search/default/commands.conf and you add the last line:

[sendemail]
filename = sendemail.py
streaming = false
run_in_preview = false
passauth = true
required_fields =
changes_colorder = false
supports_rawargs = true
undo_scheduler_escaping = true
disabled=true

The disabled=true and putting this in /opt/splunk/etc/apps/search/local/commands.conf ( local instead of default ) should nullify the original setting completely and then default to your app.

View solution in original post

0 Karma

woodcock
Esteemed Legend

The best way to override a global default Splunk setting is to place a "null" setting clone of it in the associated local directory. So if you clone this out of /opt/splunk/etc/apps/search/default/commands.conf and you add the last line:

[sendemail]
filename = sendemail.py
streaming = false
run_in_preview = false
passauth = true
required_fields =
changes_colorder = false
supports_rawargs = true
undo_scheduler_escaping = true
disabled=true

The disabled=true and putting this in /opt/splunk/etc/apps/search/local/commands.conf ( local instead of default ) should nullify the original setting completely and then default to your app.

0 Karma

hortonew
Builder

Tried that, but it seems it's honoring search/local/commands.conf's disabled=true over my app's disabled=false, even though:

splunk cmd btool commands list --debug
/opt/splunk/etc/apps/email_app/local/commands.conf [sendemail]
/opt/splunk/etc/apps/email_app/local/commands.conf changes_colorder = false
/opt/splunk/etc/apps/email_app/local/commands.conf disabled = false
/opt/splunk/etc/apps/email_app/local/commands.conf filename = sendemail2.py
/opt/splunk/etc/apps/email_app/local/commands.conf passauth = true
/opt/splunk/etc/apps/email_app/local/commands.conf required_fields =
/opt/splunk/etc/apps/email_app/local/commands.conf run_in_preview = false
/opt/splunk/etc/apps/email_app/local/commands.conf streaming = false
/opt/splunk/etc/apps/email_app/local/commands.conf supports_rawargs = true
/opt/splunk/etc/apps/email_app/local/commands.conf undo_scheduler_escaping = true

0 Karma

hortonew
Builder

I changed disable=true to false in search's local. Then also had one in my app with disabled=false. Seems to be working now.

somesoni2
Revered Legend

Why don't you just commentout the one which is available by default in the search app etc/apps/search/default/commands.conf? Since you're making your new sendemail as global, you don't need search apps provided sendemail command definitions anyways.

0 Karma

hortonew
Builder

Might get overwritten on upgrade. Would be nice to maintain all custom configurations on deployment server in case servers have to be rebuilt.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...