Commands that trigger SPL safeguards

Here is the list of search commands in Splunk Enterprise that are classified as risky. Splunk considers these commands risky because, if used incorrectly, they can pose a security risk or you can potentially lose data by running the commands.

Note: The fit command is a custom machine learning (ML) SPL command that is included in the AI Toolkit. This command is classified as a risky command and triggers SPL safeguards when executed. For more information on using the fit command, see About the fit and apply commands.

New capabilities can limit access to some custom and potentially risky commands

In versions 8.2.2107 and higher of Splunk Cloud Platform and 9.0.0 and higher of Splunk Enterprise, new capabilities have been added that, in certain cases, you must grant explicitly to be able to run custom and potentially risky commands. The "user" and "power" roles receive the capabilities automatically, but if you are a user that does not hold one of these roles either directly or through a role inheritance, you must assign the capabilities to roles that the user does hold. The following table shows the new capabilities and the actions that they grant:

Capability What it lets you do
run_sendalert Lets users run the sendalert command
run_dump Lets users run the dump command
run_custom_command Lets users run any custom search command. For more information on custom commands, see Create custom search commands for apps in Splunk Cloud Platform or Splunk Enterprise on the Splunk Developer Portal.

For the full list of capabilities, see Define roles on the Splunk platform with capabilities.