Splunk® Enterprise

Search Reference

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Control access to your custom command

Once you have written the script and and added it to commands.conf, you're good to go.

By default, all roles have read-access to commands.conf, but only admins have write-access. This means that all roles can run the commands listed in commands.conf, unless the access controls are explicitly changed for an individual command. If you want to restrict the usage of the command to certain roles or users, modify its access controls in Manager or edit default.meta.conf.

What you can edit in Splunk Web

You can use Splunk Manager to disable a search command that you don't want to run in an app:

1. Navigate to Manager >> Advanced search >> Search commands.

This brings you to the table of search commands, which includes the following information: the command's name, the filename of the script that defines the command, the owner of the script, the app it belongs to, its sharing restrictions, and whether or not it is enabled.

Note: This table only lists the search commands that were written in Python.

2. Under the Status column for the search command, click Disable.

Splunk will display a message banner saying that the command was disabled in the app.

You can also use this Manager page to change the role's access controls for a command:

1. Under the Sharing column for the search command, click Permissions.

This opens the Permissions view for the search command. Use this page to specify:

  • If this command should appear in the current app or all apps.
  • Which roles are have read and write access to this command.

2. Don't forget to save your changes!

What you can edit in conf files

You can also change the access controls for a command using the $SPLUNK_HOME/etc/apps/<app_name>/metadata/default.meta file. For more information, see the default.meta.conf reference in the Admin manual.

The following example shows the default access for commands.conf and the input command, which you cannot run unless you are an admin.

access = read : [ * ], write : [ admin ]
export = system

access = read : [ admin ], write : [ admin ]

There is also an access control restriction on the search script files themselves. These controles are defined in the [searchscripts] stanza. By default, the files are visible to all roles and apps, but only admins can edit them:

access = read : [ * ], write : [ admin ]
export = system

The export = system line in the [commands] stanza indicates that commands.conf is available to all apps (global), and likewise for [searchscripts]. If the global export under [searchscripts] was not present, the script configurations (commands.conf) would be visible in all apps, but the script files themselves would not be.

Add your custom command to Splunk
Example 1: shape

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters