Re: Deactivate SPL safeguards on Splunk Enterprise

jotne · ‎06-27-2022

I have upgraded my Splunk Enterprise to 9.0 and we now get warning like this:

Some visualizations have not loaded since we detected usage of risky commands in the query.

This is OK, and I now why and this dashboard is for admin use only. So I like to Deactivate the warning for this dashboard only. That way I will get warning if there are other dashboard with dangerous commands. But if I read the documentation, it seems that I can only disable all warning or warning for some commands. I would like to disable warning pr dashboard. Anyone has a workaround?

https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/SPLsafeguards?ref=hk

Azeemering · ‎06-27-2022

Hi,

I think it is possible to disable / enable these warning per app level.

So if you add a web.conf in your app
$Splunk_home\Splunk\etc\apps\yourapp\local\web.conf (where your admin dashboard resides)

with

enable_risky_command_check_dashboard=false

This should disbale the warning there.

jotne · ‎06-27-2022

It did not work.

When I did make a web.conf file like this in one app, it disabled the warning in all apps.

[settings]
enable_risky_command_check_dashboard = false

seemanshu · ‎05-04-2023

Hi @jotne ,

The following setting in the web.conf will help in specifying the dashboard name,

[settings]
enable_risky_command_check_dashboard = false
splunk_dashboard_app_name = <string>

Here, splunk_dashboard_app_name will help in disabling the warning to the required app only.

Kindly upvote, if found helpful.

How to deactivate SPL safeguards on Splunk Enterprise?

using Splunk Enterprise

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

SignalFlow: What? Why? How?