Control access to your custom command
Once you have written the script and and added it to
commands.conf, you're good to go.
By default, all roles have read-access to
commands.conf, but only admins have write-access. This means that all roles can run the commands listed in
commands.conf, unless the access controls are explicitly changed for an individual command. If you want to restrict the usage of the command to certain roles or users, modify its access controls in Manager or edit
What you can edit in Splunk Web
You can use Splunk Manager to disable a search command that you don't want to run in an app:
1. Navigate to Manager >> Advanced search >> Search commands.
This brings you to the table of search commands, which includes the following information: the command's name, the filename of the script that defines the command, the owner of the script, the app it belongs to, its sharing restrictions, and whether or not it is enabled.
Note: This table only lists the search commands that were written in Python.
2. Under the Status column for the search command, click Disable.
Splunk will display a message banner saying that the command was disabled in the app.
You can also use this Manager page to change the role's access controls for a command:
1. Under the Sharing column for the search command, click Permissions.
This opens the Permissions view for the search command. Use this page to specify:
- If this command should appear in the current app or all apps.
- Which roles are have read and write access to this command.
2. Don't forget to save your changes!
What you can edit in conf files
You can also change the access controls for a command using the
$SPLUNK_HOME/etc/apps/<app_name>/metadata/default.meta file. For more information, see the default.meta.conf reference in the Admin manual.
The following example shows the default access for commands.conf and the input command, which you cannot run unless you are an admin.
[commands] access = read : [ * ], write : [ admin ] export = system [commands/input] access = read : [ admin ], write : [ admin ]
There is also an access control restriction on the search script files themselves. These controles are defined in the
[searchscripts] stanza. By default, the files are visible to all roles and apps, but only admins can edit them:
[searchscripts] access = read : [ * ], write : [ admin ] export = system
export = system line in the
[commands] stanza indicates that
commands.conf is available to all apps (global), and likewise for
[searchscripts]. If the global export under
[searchscripts] was not present, the script configurations (
commands.conf) would be visible in all apps, but the script files themselves would not be.
Add your custom command to Splunk
Example 1: shape
This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7