Security

How to make a custom command shared between all Apps?

splunker1981
Path Finder

Hi fellow Splunkers,

I'm wondering is someone can tell me how to share a custom command stored within a custom App globally? We have a custom script that takes input, processes it and returns data. I've tried a few things in order to make the command shared globally since we need to run this command within various apps. I get the following error regardless of what we add to the commands or meta files: "Search Factory: Unknown search command scriptNameHere" (restarted the service after every change). The App permissions are set to global which I thought would make the command work within any other app, but that doesn't seem to be the case.

Here is what I tried adding to my default.meta. Within my commands.conf file I have 4 custom scripts, I'd like to either make them all global or define the specific command we need to work in all other apps.

[commands]
access = read : [ * ], write : [ admin ]
export = system

Any help would be greatly appreciated.

0 Karma

Maurice_Moss
Engager

This may be an answer 6 years later (almost to the date), but thought I'd post for future visitors. I was searching this today and found some info in Splunk dev docs:

Splunk Dev - Manage access to a custom search command in Splunk Cloud Platform or Splunk Enterprise 

Not sure if .meta allows all commands to be controlled via the stanza like in the original question, but each command can be added using the following:

[commands/command_name]
access = read : [ * ], write : [ admin ]
export = system

Seems like it requires a stanza per command and doesn't allow mass command sharing.  The comment from MuS seems to be the other option for mass sharing, but exports all objects in the app.

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi splunker1981,

If I create a custom command in a TA, I add this to the metadata/default.meta

[]
access = read : [ * ], write : [ admin ]
export = system

and it worked all the times so far.

Hope this helps ...

cheers, MuS

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...