Manage access to a custom search command

Manage access to a custom search command to control how and where users can run the command. You can manage access to a custom search command by app and by role.

Manage access by app

When you install a custom search command app, the command is, by default, only available in that app. Enable the search command in other apps for use across your Splunk instance.

You can enable the search command in other apps on the search commands management page.

  1. In Splunk Web, go to Settings > Advanced Search > Search Commands.
  2. In the search commands table, locate your custom search command.
  3. In the Sharing column for the search command, click Permissions.
  4. On the Permissions page, under Object should appear in, select All apps (system).
  5. Click Save.

Disable the search command in an app to restrict its usage.

  1. In Splunk Web, go to Settings > Advanced Search > Search Commands.
  2. From the App drop-down menu, select the app to disable the search command in.
  3. In the search commands table, locate your custom search command.
  4. In the Status column for the search command, click Disable.

Manage access by role

By default, all roles have read-access to commands.conf, but only admins have write-access. This means that all roles can run the commands listed in commands.conf, unless the access controls are explicitly changed for an individual command. You can limit a role's access to a custom search command in the configuration file or using Splunk Web.

Manage role access in the configuration file

You can manage access to a custom search command by role in the default.meta configuration file.

  1. In the $SPLUNK_HOME/etc/apps/<app_name>/metadata directory, locate the default.meta file and open it in a text editor.
  2. Add a stanza to specify read-access and write-access for your command.

    For example, the following stanza in default.meta indicates that only admin-level users can run the foo command.
    [commands/foo]
    access = read : [ admin ], write : [ admin ]
    
  3. Restart Splunk Enterprise.

Manage role access using Splunk Web

You can manage access to a custom search command by role on the search commands management page.

  1. In Splunk Web, go to Settings > Advanced Search > Search Commands.
  2. In the search commands table, locate your custom search command.
  3. In the Sharing column for the search command, click Permissions.
  4. On the Permissions page, under Permissions, select which roles have read-access and write-access to the command.
  5. Click Save.

Next Steps

See Custom search command examples.