Yea those are often harmless, depending on some very tweaky specifics in the XML, but whey they attack they are SUPER EVIL. There's actually a param I added to the SideviewUtils module called checkAutoRunAttributes . It's not something you want to use, but if you ever edit the SideviewUtils.conf file in etc/apps/sideview_utils/appserver/modules/SideviewUtils, set that to True and restart splunkWeb, in every view that has the problem, all users will get a big alert about it. My thinking was that concerned admins could turn it on, make a pass through all their views then turn it off.
... View more