KB 145 (Splunk): Guide to resolve the “Potential Security Risk" popup in wizards

Category: Problem/Information/Recommendation

Priority: Critical/High/Normal

Platform: Splunk Cloud

Version: 1 from 25.02.2022

Description

In Splunk cloud environment, you may see the popup as below in the dashboard of the SAP PowerConnect for Splunk app. This is especially noticed while running:

  • Wizard for new SAP SIDs and instance discovery

  • Wizard for System Role


You may choose to click on “Run Query Anyway” button to accept the risk and continue.
In some cases when you choose multiple searches to run in parallel on a wizard, you may are not able to click on “Run Query Anyway” button.

Cause

This Issue arises because of the outputlookup command used in dashboard search queries to generate the required lookup for proper functioning of drop-downs in PowerConnect app.

Resolution

Users need to raise a ticket to the Splunk cloud Support Team to update/create the below-mentioned file.

  • Please open the web.conf file which is available at <Splunk Home>/etc/shcluster/apps/BNW-app-powerconnect/local and if this file is not available at that location please create a new file with the web.conf name

  • Add the below stanza in the web.conf file:
    [settings]
    enable_risky_command_check_dashboard = false

  • Restart Splunk Server.