Splunk® Enterprise

Search Manual

Download manual as PDF

Download topic as PDF

Control access to the custom command and script

After you write the script and add it to commands.conf, you are good to go.

By default, all roles have read access to commands.conf, but only admins have write access. This means that all roles can run the commands listed in commands.conf, unless the access controls are explicitly changed for an individual command. If you want to restrict the usage of the command to certain roles or users, you must modify the access controls for the command.

Change custom command permissions

You can modify the access controls through the Settings menu, or by editing the default.meta.conf file.

Change permissions in Splunk Web

You can use the Settings menu to change the access controls for a command, by user role.

1. In Splunk Web, select Settings, Advanced search.

2. Click Search commands.

3. Under the Sharing column for the search command, click Permissions.
This opens the Permissions view for the selected search command. Use this page to specify:

  • If the command should appear in the current app or all apps.
  • Which roles are have read and write access to the command.

4. Don't forget to save your changes!

Change permissions in the default.meta.conf file

You can change the access controls for a command using the default.meta.conf file, which is located in the $SPLUNK_HOME/etc/apps/<app_name>/metadata/ directory.

The following example shows the default access for the commands.conf and the access permissions for the input command, which you cannot run unless you are an admin.

access = read : [ * ], write : [ admin ]
export = system

access = read : [ admin ], write : [ admin ]

Change access control to the command script files

You can change the access control restrictions on the command script files. These controls are defined in the [searchscripts] stanza in the $SPLUNK_HOME/etc/apps/<app_name>/metadata/default.meta file. By default, the files are visible to all roles and apps, but only users with the admin role can edit the files.

access = read : [ * ], write : [ admin ]
export = system

Use the export = system attribute to make files available to all apps in the system. In the examples above, access to commands.conf and [searchscripts] are global. If the global export under [searchscripts] is not present, the script configurations in the commands.conf file is visible in all apps, but the script files themselves are not.

Custom commands in apps that do not have a UI should be exported to the system, since there is no way to run the command in a local context.

Disable the custom command

You can use the Settings menu to disable a search command from running in an app

1. In Splunk Web, select Settings, Advanced search.

2. Click Search commands.

The Search commands page displays a table which lists the commands, information about the owner and app associated with the command, and provides options to restrict permissions and disable the command.

Note: This table only lists the search commands that are written in Python.

3. Under the Status column for the search command, click Disable.

A message banner towards the top of the window appears that confirms that the command was disabled in the app.

See Also

default.meta.conf file in the Admin manual

Add the custom command to your Splunk deployment
Custom search command example

This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18, 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.6.0, 6.6.1, 6.6.2, 6.6.3

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters