Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is there a way to customize the SPL safeguards feature released in 6.4?

rrowland
Explorer
‎09-26-2016 10:39 AM

All,

Below is a link to the new SPL Safeguards feature that came out it 6.4. It is set up to warn users about dangerous commands to review before running.

I would like to know if this can be customized to other commands and/or also potentially be able to warn against bad search habits like if someone who uses index=* or does NOT include an index= in their search.

http://docs.splunk.com/Documentation/Splunk/6.4.3/Security/SPLsafeguards

Any information would be useful.

Thanks
Rich

Reply

MuS
Legend
‎09-26-2016 07:21 PM

Hi rrowland,

This is un-tested, but reading the docs http://docs.splunk.com/Documentation/Splunk/6.4.3/Security/SPLsafeguards#Turn_off_the_warning_for_a_... one can disable the waring by adding this option 

 is_risky = false

to the command in commands.conf. So, I assume you can also set this option is_risky = true to enable the message.

Hope this helps ...

cheers, MuS

Reply

rrowland
Explorer
‎09-27-2016 03:15 PM

Thank for your reference MuS, I did read that ability to disable but that is not what I am specifically looking for in this situation. I am more wondering if anyone as found a way to add different commands or scan the SPL syntax for certain common user entry issues that we find to be poor and that cause costly searching. Our environments takes close to 500K searches a day so a poor SPL syntax would just add to the load.

Thanks
Rich

0 Karma
Reply

MuS
Legend
‎09-27-2016 03:25 PM

Splunk 6.5 (just released btw) has some fancy SPL features, one of them (but not limited too) includes:

Real-Time SPL Optimisation
Automatically optimizes query performance
Automatically applies best practice techniques to optimize execution speed of any query

Maybe that's what you are after? But I'm not sure if it really will tell a user you're about to do a crazy search... or tries to do some SPL tuning in the background.
Also maybe have a look at this app https://splunkbase.splunk.com/app/2678/ from my fellow SplunkTrustee @masonmorales

cheers, MuS

Reply

rrowland
Explorer
‎09-27-2016 04:35 PM

MuS,

Yes, that is definitely very interesting and I am looking forward to testing that out.

We have forced the requirement of using an index for all users by default search index not going to return any results but unfortunately it does not solve index=*, as I don't believe the SPL optimization will either.

My main concern continues further down the stack as well, wanting users to develop queries that index=, sourcetype= and maybe even host= as well. I expect this is not likely something we will be able to do, probably just need to improve our user base training but with over 2K unique user logins each month it is a large task to train everyone.

Thanks
Rich

0 Karma
Reply

MuS
Legend
‎09-27-2016 05:11 PM

Indeed it is! You can always submit enhancement requests like this on the support portal https://www.splunk.com/en_us/support-and-services.html

I'm pretty sure that something like this requirement could be solved by adding some little js script in a custom dashboard/App and perform some basic SPL verification before the search is actually submitted - but, I'm far from being a web dev guy and just writing down my thoughts 😉

Cheers, MuS

0 Karma
Reply
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...