I'd like to push an app that overwrites which script sendemail uses. For instance I pushed:
filename = sendemail2.py
access = read : [ * ], write : [ admin, power ]
export = system
Running btool shows that the new config is pulled in, and I've restarted splunk for good measure, however the old sendemail script is still being used. Is it possible to do it this way? It works if I modify etc/apps/search/local/commands.conf, but I'd rather push an app to do it.
Why don't you just commentout the one which is available by default in the search app etc/apps/search/default/commands.conf? Since you're making your new sendemail as global, you don't need search apps provided sendemail command definitions anyways.
Might get overwritten on upgrade. Would be nice to maintain all custom configurations on deployment server in case servers have to be rebuilt.
The best way to override a global default Splunk setting is to place a "null" setting clone of it in the associated
local directory. So if you clone this out of
/opt/splunk/etc/apps/search/default/commands.conf and you add the last line:
[sendemail] filename = sendemail.py streaming = false run_in_preview = false passauth = true required_fields = changes_colorder = false supports_rawargs = true undo_scheduler_escaping = true disabled=true
disabled=true and putting this in
local instead of
default ) should nullify the original setting completely and then default to your app.
Tried that, but it seems it's honoring search/local/commands.conf's disabled=true over my app's disabled=false, even though:
splunk cmd btool commands list --debug
/opt/splunk/etc/apps/emailapp/local/commands.conf changescolorder = false
/opt/splunk/etc/apps/emailapp/local/commands.conf disabled = false
/opt/splunk/etc/apps/emailapp/local/commands.conf filename = sendemail2.py
/opt/splunk/etc/apps/emailapp/local/commands.conf passauth = true
/opt/splunk/etc/apps/emailapp/local/commands.conf requiredfields =
/opt/splunk/etc/apps/emailapp/local/commands.conf runinpreview = false
/opt/splunk/etc/apps/emailapp/local/commands.conf streaming = false
/opt/splunk/etc/apps/emailapp/local/commands.conf supportsrawargs = true
/opt/splunk/etc/apps/emailapp/local/commands.conf undoscheduler_escaping = true
I changed disable=true to false in search's local. Then also had one in my app with disabled=false. Seems to be working now.