Solved: Custom search commands and authorize.conf in 4.1?

Lowell · ‎05-28-2010

When setting up a custom search command, is it still necessary to setup authorize.conf entries like this in Splunk 4.1?

[capability::run_script_dothething]

[role_Admin] 
run_script_dothething = enabled

Or has it been replaced in favor of metadata entries? Like so:

[commands/dothething]
access = read : [ admin ], write : [ admin ]
owner = nobody
export = system

Are these equivalent?

gkanapathy · ‎05-29-2010

The settings in authorize.conf for controlling access to search commands have been replaced by the settings in the .meta files as of 4.0. The run_script_* settings no longer do anything. (Also note that settings for role_Admin should be role_admin as of 4.0, as the name of the role changes from Admin to admin then.)

View solution in original post

gkanapathy · ‎05-29-2010

The settings in authorize.conf for controlling access to search commands have been replaced by the settings in the .meta files as of 4.0. The run_script_* settings no longer do anything. (Also note that settings for role_Admin should be role_admin as of 4.0, as the name of the role changes from Admin to admin then.)

Custom search commands and authorize.conf in 4.1?

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...