Deactivate SPL safeguards
You can deactivate SPL safeguards, if necessary, to prevent the "risky search" warning from appearing when you run searches that the Splunk Platform classifies as risky. When you deactivate SPL safeguards, the Splunk platform runs searches that contain risky commands and does not alert you to the fact that the commands in the search are risky. This can potentially cause problems with search performance. You can turn off the warning for a specific command, or for all of the risky commands.
Deactivate SPL safeguards on Splunk Cloud Platform
On Splunk Cloud Platform, if you want to deactivate SPL safeguards, use the Splunk Support portal to open a support case.
Deactivate SPL safeguards on Splunk Enterprise
On Splunk Enterprise only, you can turn off SPL safeguards by modifying configuration files. The web.conf and commands.conf configuration files control whether or not the safeguards are active. You can edit these files to turn off the risky SPL command warning dialog box. The configuration file that you use depends on the type of command for which you want to deactivate safeguards.
It is not possible to use Splunk Web to deactivate SPL safeguards.
See the following in the Splunk Enterprise Admin Manual:
Deactivate SPL safeguards on Splunk Enterprise for all commands
Use the following procedure when you want to turn off SPL safeguards entirely.
- Use a text editor to open the web.conf configuration file located in the
$SPLUNK_HOME/etc/system/defaultdirectory. - Find the command check settings within the web.conf configuration file and copy the setting stanza.
- For the Search page, find the
enable_risky_command_checksetting stanza. - For dashboards, find the
enable_risky_command_check_dashboardsetting stanza.
- For the Search page, find the
- Locate and open the
$SPLUNK_HOME/etc/system/local/web.confconfiguration file. If this file does not exist, create it. - If you had to create the configuration file in the previous step, add the
[settings]stanza header as the first line of the file. - Paste the copied setting stanza into the
$SPLUNK_HOME/etc/system/local/web.conffile. - Change the
enable_risky_command_checkorenable_risky_command_check_dashboardsetting values fromtruetofalse:- For the Search page, setting the value to
falsedeactivates SPL safeguards for all searches in the deployment. If you've set the Search page tofalse, and dashboards remaintrue, SPL safeguards are still active on the dashboards but are not active on the Search page. - For dashboards, setting the value to
falseturns off the warning for all dashboards in the deployment. If you've set dashboards tofalse, and the Search page remainstrue, SPL safeguards are still active on the Search page but are not active on the dashboards.
- For the Search page, setting the value to
- Save the
web.conffile and close it. - Restart Splunk Enterprise.
Deactivate SPL safeguards on Splunk Enterprise for a specific built-in command
If you have to deactivate SPL safeguards, it is more secure to turn off the warnings for a subset of commands than it is for all commands.
Use this procedure when you want to turn off SPL safeguards for one or more specific built-in commands. For commands that Splunk has designated as risky, this is the only option to deactivate the built-in commands individually.
You can deactivate built-in commands either in the global context, or within the context of an app.
- Open the $SPLUNK_HOME/etc/system/local/commands.conf configuration file for editing. If this file does not exist, create it.
- Add a stanza for the command for which you want to deactivate SPL safeguards.
- On the next line beneath this stanza, add the line
is_risky = false. For example, if you wanted to deactivate SPL safeguards for theoutputlookupfile, your entry looks like the following:CODE[outputlookup] is_risky = false - Save the commands.conf configuration file and close it.
- Restart Splunk Enterprise.
Deactivate SPL safeguards on Splunk Enterprise for a custom command that uses Python
Some custom search commands use the Python language to complete their tasks, and usually exist within the context of an app. These custom commands use a slightly different process to deactivate SPL safeguards.
- Open the $SPLUNK_HOME/etc/apps/<app name>/local/commands.conf configuration file for editing. If this file does not exist, create it.
- Add a stanza for the command for which you want to deactivate SPL safeguards.
- On the next line beneath this stanza, add the line
is_risky = false. For example, if you wanted to turn off SPL safeguards for therunshellscriptfile, your entry looks like the following:CODE[runshellscript] is_risky = false - Save the commands.conf configuration file and close it.
- Restart Splunk Enterprise.