Below is a link to the new SPL Safeguards feature that came out it 6.4. It is set up to warn users about dangerous commands to review before running.
I would like to know if this can be customized to other commands and/or also potentially be able to warn against bad search habits like if someone who uses
index=* or does NOT include an
index= in their search.
Any information would be useful.
This is un-tested, but reading the docs http://docs.splunk.com/Documentation/Splunk/6.4.3/Security/SPLsafeguards#Turn_off_the_warning_for_a_... one can
disable the waring by adding this option
is_risky = false
to the command in
commands.conf. So, I assume you can also set this option
is_risky = true to enable the message.
Hope this helps ...
Thank for your reference MuS, I did read that ability to disable but that is not what I am specifically looking for in this situation. I am more wondering if anyone as found a way to add different commands or scan the SPL syntax for certain common user entry issues that we find to be poor and that cause costly searching. Our environments takes close to 500K searches a day so a poor SPL syntax would just add to the load.
Splunk 6.5 (just released btw) has some fancy SPL features, one of them (but not limited too) includes:
Real-Time SPL Optimisation Automatically optimizes query performance Automatically applies best practice techniques to optimize execution speed of any query
Maybe that's what you are after? But I'm not sure if it really will tell a user
you're about to do a crazy search... or tries to do some SPL tuning in the background.
Also maybe have a look at this app https://splunkbase.splunk.com/app/2678/ from my fellow SplunkTrustee @masonmorales
Yes, that is definitely very interesting and I am looking forward to testing that out.
We have forced the requirement of using an index for all users by default search index not going to return any results but unfortunately it does not solve index=*, as I don't believe the SPL optimization will either.
My main concern continues further down the stack as well, wanting users to develop queries that index=, sourcetype= and maybe even host= as well. I expect this is not likely something we will be able to do, probably just need to improve our user base training but with over 2K unique user logins each month it is a large task to train everyone.
Indeed it is! You can always submit enhancement requests like this on the support portal https://www.splunk.com/en_us/support-and-services.html
I'm pretty sure that something like this requirement could be solved by adding some little
js script in a custom dashboard/App and perform some basic SPL verification before the search is actually submitted - but, I'm far from being a web dev guy and just writing down my thoughts 😉