Splunk Enterprise

The is_risky parameter not working as expected

BradOH
Explorer

We're trying to suppress the warnings for reports that use dbxlookup command to enrich data in the report.  We have a pretty simple setup with one search head and indexer.  We created a commands.conf file under the $SPLUNK_HOME/etc/system/local/ folder with the following contents.  There are no commands.conf files anywhere else on the system except under the defaults folders.  After restarting, nothing changed.

# Disable dbxlookup security warnings in reports
[dbxlookup]
is_risky = false

 

Thinking that perhaps this needed to be added under our app local folder, we moved the file there and restarted. Once done, we encountered java and python errors running any reports with dbxlookups.  

What are we missing?  Thanks!

 

Labels (1)
0 Karma

livehybrid
Ultra Champion

Hi @BradOH 

Please could you check the output of btool, does this list the is_risky=false?

$SPLUNK_HOME/bin/splunk cmd btool commands list --debug dbxlookup

As @PickleRick  said - Make sure not to modify the default/commands.conf in the app as this could get overwritten, although would have thought it would work if set in local/commands.conf - Do you have any specific errors you saw when you did this?

:glowing_star: Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

BradOH
Explorer

Hey, I never heard back from anyone since posting the output of btool.  Any suggestions why this setting is not working as documented in the Splunk documentation?

0 Karma

PickleRick
SplunkTrust
SplunkTrust

One more thing I'd check would be to call the btool with a user and app context. It seems a bit illogical to treat the command differently per this context additionally to giving a user capability to run such command but it's worth checking.

If it still shows that the setting should effectively be false, it might be worth creating a support case.

0 Karma

BradOH
Explorer

Maybe I'm a little dense, but I tried using the --app context and the report was blank, no results.  For example I tried both, and the command returned no results:

splunk cmd btool commands list --debug dbxlookup --app=search

splunk cmd btool --app=dbconnect commands list --debug dbxlookup

What am I missing?

0 Karma

PickleRick
SplunkTrust
SplunkTrust

I'm not sure but you might need to have to use the --user option as well. In my tests I don't see any output if I give --app but not give --user

0 Karma

BradOH
Explorer

Hey, thanks for the suggestion, and based on the debug output, it appears Splunk is "seeing" the configuration (see below), why it's not changing anything is the issue.

C:\Program Files\Splunk\etc\system\local\commands.conf is_risky = false

For the moment, we added the following to web.conf to suppress the warnings, but it's not an optimal situation. We'd definitely prefer to flag individual commands based on our usage.

enable_risky_command_check = false
enable_risky_command_check_dashboard = false 

Any thoughts why Splunk would be ignoring the configuration?

0 Karma

PrewinThomas
Builder

@BradOH 

Can you place/append your commands.conf file in the app’s default directory, not local, and not in system/local.

Now restart and check if it's taking or not.


Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Don't touch app's default directory! It's not supposed to be edited and will get overwritten after next update.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...