Splunk Enterprise

Warning User when try to execute outoutlook up command from front end to avoid deleteing accidental records from kvstore

vksplunk1
Explorer

Hi  -  Is there a way to Warning the user when try to execute outoutlook up command from front end to avoid deleting accidental records from kvstore.

 

Thank you

Labels (1)
0 Karma

livehybrid
SplunkTrust
SplunkTrust

Hi @vksplunk1 

Outputlookup is already categorised as a risky command in terms of protection against SPL in links clicked, or in dashboard ("In the Search app, the warning dialog box appears when you click a link or type a URL that loads a search which contains risky commands. In dashboards, the warning dialog box appears automatically unless an input or visualization contains a search with a risky command") however it is not currently possible to display the alert if a user just types it out themselves into the search bar.
Check out https://docs.splunk.com/Documentation/Splunk/9.4.0/Security/SPLsafeguards for more information about this.

 

Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped.
Regards

Will

0 Karma
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...