Deactivate SPL safeguards

You can deactivate SPL safeguards, if necessary, to prevent the "risky search" warning from appearing when you run searches that the Splunk Platform classifies as risky. When you deactivate SPL safeguards, the Splunk platform runs searches that contain risky commands and does not alert you to the fact that the commands in the search are risky. This can potentially cause problems with search performance. You can turn off the warning for a specific command, or for all of the risky commands.

Deactivate SPL safeguards on Splunk Cloud Platform

On Splunk Cloud Platform, if you want to deactivate SPL safeguards, use the Splunk Support portal to open a support case.

Deactivate SPL safeguards on Splunk Enterprise

On Splunk Enterprise only, you can turn off SPL safeguards by modifying configuration files. The web.conf and commands.conf configuration files control whether or not the safeguards are active. You can edit these files to turn off the risky SPL command warning dialog box. The configuration file that you use depends on the type of command for which you want to deactivate safeguards.

It is not possible to use Splunk Web to deactivate SPL safeguards.

See the following in the Splunk Enterprise Admin Manual:

Deactivate SPL safeguards on Splunk Enterprise for all commands

Use the following procedure when you want to turn off SPL safeguards entirely.

  1. Use a text editor to open the web.conf configuration file located in the $SPLUNK_HOME/etc/system/default directory.
  2. Find the command check settings within the web.conf configuration file and copy the setting stanza.
    1. For the Search page, find the enable_risky_command_check setting stanza.
    2. For dashboards, find the enable_risky_command_check_dashboard setting stanza.
  3. Locate and open the $SPLUNK_HOME/etc/system/local/web.conf configuration file. If this file does not exist, create it.
  4. If you had to create the configuration file in the previous step, add the [settings] stanza header as the first line of the file.
  5. Paste the copied setting stanza into the $SPLUNK_HOME/etc/system/local/web.conf file.
  6. Change the enable_risky_command_check or enable_risky_command_check_dashboard setting values from true to false:
    1. For the Search page, setting the value to false deactivates SPL safeguards for all searches in the deployment. If you've set the Search page to false, and dashboards remain true, SPL safeguards are still active on the dashboards but are not active on the Search page.
    2. For dashboards, setting the value to false turns off the warning for all dashboards in the deployment. If you've set dashboards to false, and the Search page remains true, SPL safeguards are still active on the Search page but are not active on the dashboards.
  7. Save the web.conf file and close it.
  8. Restart Splunk Enterprise.

Deactivate SPL safeguards on Splunk Enterprise for a specific built-in command

If you have to deactivate SPL safeguards, it is more secure to turn off the warnings for a subset of commands than it is for all commands.

Use this procedure when you want to turn off SPL safeguards for one or more specific built-in commands. For commands that Splunk has designated as risky, this is the only option to deactivate the built-in commands individually.

You can deactivate built-in commands either in the global context, or within the context of an app.

  1. Open the $SPLUNK_HOME/etc/system/local/commands.conf configuration file for editing. If this file does not exist, create it.
  2. Add a stanza for the command for which you want to deactivate SPL safeguards.
  3. On the next line beneath this stanza, add the line is_risky = false. For example, if you wanted to deactivate SPL safeguards for the outputlookup file, your entry looks like the following:
    CODE
    [outputlookup]
    is_risky = false
  4. Save the commands.conf configuration file and close it.
  5. Restart Splunk Enterprise.

Deactivate SPL safeguards on Splunk Enterprise for a custom command that uses Python

Some custom search commands use the Python language to complete their tasks, and usually exist within the context of an app. These custom commands use a slightly different process to deactivate SPL safeguards.

  1. Open the $SPLUNK_HOME/etc/apps/<app name>/local/commands.conf configuration file for editing. If this file does not exist, create it.
  2. Add a stanza for the command for which you want to deactivate SPL safeguards.
  3. On the next line beneath this stanza, add the line is_risky = false. For example, if you wanted to turn off SPL safeguards for the runshellscript file, your entry looks like the following:
    CODE
    [runshellscript]
    is_risky = false
  4. Save the commands.conf configuration file and close it.
  5. Restart Splunk Enterprise.