Solved: The is_risky parameter not working as expected

BradOH · ‎07-10-2025

We're trying to suppress the warnings for reports that use dbxlookup command to enrich data in the report. We have a pretty simple setup with one search head and indexer. We created a commands.conf file under the $SPLUNK_HOME/etc/system/local/ folder with the following contents. There are no commands.conf files anywhere else on the system except under the defaults folders. After restarting, nothing changed.

# Disable dbxlookup security warnings in reports

[dbxlookup]

is_risky = false

Thinking that perhaps this needed to be added under our app local folder, we moved the file there and restarted. Once done, we encountered java and python errors running any reports with dbxlookups.

What are we missing? Thanks!

PickleRick · ‎07-31-2025

I'm not sure but you might need to have to use the --user option as well. In my tests I don't see any output if I give --app but not give --user

View solution in original post

livehybrid · ‎07-14-2025

Hi @BradOH

Please could you check the output of btool, does this list the is_risky=false?

$SPLUNK_HOME/bin/splunk cmd btool commands list --debug dbxlookup

As @PickleRick said - Make sure not to modify the default/commands.conf in the app as this could get overwritten, although would have thought it would work if set in local/commands.conf - Do you have any specific errors you saw when you did this?

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

BradOH · ‎07-24-2025

Hey, I never heard back from anyone since posting the output of btool. Any suggestions why this setting is not working as documented in the Splunk documentation?

PickleRick · ‎07-24-2025

One more thing I'd check would be to call the btool with a user and app context. It seems a bit illogical to treat the command differently per this context additionally to giving a user capability to run such command but it's worth checking.

If it still shows that the setting should effectively be false, it might be worth creating a support case.

BradOH · ‎07-30-2025

Maybe I'm a little dense, but I tried using the --app context and the report was blank, no results. For example I tried both, and the command returned no results:

splunk cmd btool commands list --debug dbxlookup --app=search

splunk cmd btool --app=dbconnect commands list --debug dbxlookup

What am I missing?

PickleRick · ‎07-31-2025

I'm not sure but you might need to have to use the --user option as well. In my tests I don't see any output if I give --app but not give --user

BradOH · ‎08-14-2025

Sorry it took me so long to follow-up, but that was the ticket. Specifying both the App and User contexts identified the source of the issue. It appears the "is_risky" setting is default "true" in the DB_Connect commands.conf. Adding the configuration locally under splunk_app_db_connect\local seems to have fixed it.

That said, I find it strange setting this globally under the system config didn't override this. Guess this is due to it being a default package setting.

Thanks!

PickleRick · ‎08-14-2025

That sounds strange. Settings from system/local are supposed to have the highest priority (except for peer-apps in case if an indexer cluster).

btool check doesn't report any problems?

richgalloway · ‎08-14-2025

If your problem is resolved, then please click the "Accept as Solution" button to help future readers.

---
If this reply helps you, Karma would be appreciated.

BradOH · ‎07-15-2025

Hey, thanks for the suggestion, and based on the debug output, it appears Splunk is "seeing" the configuration (see below), why it's not changing anything is the issue.

C:\Program Files\Splunk\etc\system\local\commands.conf is_risky = false

For the moment, we added the following to web.conf to suppress the warnings, but it's not an optimal situation. We'd definitely prefer to flag individual commands based on our usage.

enable_risky_command_check = false
enable_risky_command_check_dashboard = false

Any thoughts why Splunk would be ignoring the configuration?

PrewinThomas · ‎07-10-2025

@BradOH

Can you place/append your commands.conf file in the app’s default directory, not local, and not in system/local.

Now restart and check if it's taking or not.

Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

PickleRick · ‎07-11-2025

Don't touch app's default directory! It's not supposed to be edited and will get overwritten after next update.

The is_risky parameter not working as expected

configuration

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Are you a member of the Splunk Community?

The is_risky parameter not working as expected

configuration

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?