Splunk Search

Is there a way to customize the SPL safeguards feature released in 6.4?

Explorer

All,

Below is a link to the new SPL Safeguards feature that came out it 6.4. It is set up to warn users about dangerous commands to review before running.

I would like to know if this can be customized to other commands and/or also potentially be able to warn against bad search habits like if someone who uses index=* or does NOT include an index= in their search.

http://docs.splunk.com/Documentation/Splunk/6.4.3/Security/SPLsafeguards

Any information would be useful.

Thanks
Rich

SplunkTrust
SplunkTrust

Hi rrowland,

This is un-tested, but reading the docs http://docs.splunk.com/Documentation/Splunk/6.4.3/Security/SPLsafeguards#Turn_off_the_warning_for_a_... one can disable the waring by adding this option

 is_risky = false

to the command in commands.conf. So, I assume you can also set this option is_risky = true to enable the message.

Hope this helps ...

cheers, MuS

Explorer

Thank for your reference MuS, I did read that ability to disable but that is not what I am specifically looking for in this situation. I am more wondering if anyone as found a way to add different commands or scan the SPL syntax for certain common user entry issues that we find to be poor and that cause costly searching. Our environments takes close to 500K searches a day so a poor SPL syntax would just add to the load.

Thanks
Rich

0 Karma

SplunkTrust
SplunkTrust

Splunk 6.5 (just released btw) has some fancy SPL features, one of them (but not limited too) includes:

Real-Time SPL Optimisation
Automatically optimizes query performance
Automatically applies best practice techniques to optimize execution speed of any query

Maybe that's what you are after? But I'm not sure if it really will tell a user you're about to do a crazy search... or tries to do some SPL tuning in the background.
Also maybe have a look at this app https://splunkbase.splunk.com/app/2678/ from my fellow SplunkTrustee @masonmorales

cheers, MuS

Explorer

MuS,

Yes, that is definitely very interesting and I am looking forward to testing that out.

We have forced the requirement of using an index for all users by default search index not going to return any results but unfortunately it does not solve index=*, as I don't believe the SPL optimization will either.

My main concern continues further down the stack as well, wanting users to develop queries that index=, sourcetype= and maybe even host= as well. I expect this is not likely something we will be able to do, probably just need to improve our user base training but with over 2K unique user logins each month it is a large task to train everyone.

Thanks
Rich

0 Karma

SplunkTrust
SplunkTrust

Indeed it is! You can always submit enhancement requests like this on the support portal https://www.splunk.com/en_us/support-and-services.html

I'm pretty sure that something like this requirement could be solved by adding some little js script in a custom dashboard/App and perform some basic SPL verification before the search is actually submitted - but, I'm far from being a web dev guy and just writing down my thoughts 😉

Cheers, MuS

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!