Merge pull request #421 from splunk/default_search_stanza

Default Stanza to prevent issues post-search-removal

Author: pyth0n1c

contentctl/output/templates/savedsearches_detections.j2

@@ -1,10 +1,15 @@
 ### {{app.label}} DETECTIONS ###
 
+[default]
+disabled = 1
+description = "This search was removed in a previous release, or is otherwise not present."
+search = | makeresults | eval text = "This search was removed in a previous release, or is otherwise not present."
+
 {% for detection in objects %}
 [{{ detection.get_conf_stanza_name(app) }}]
 action.escu = 0
 action.escu.enabled = 1
-description = {{ detection.status_aware_description | escapeNewlines() }} 
+description = {{ detection.status_aware_description | escapeNewlines() }}
 action.escu.mappings = {{ detection.mappings | tojson }}
 action.escu.data_models = {{ detection.datamodel | tojson }}
 action.escu.eli5 = {{ detection.status_aware_description | escapeNewlines() }}

contentctl/templates/app_template/metadata/default.meta

@@ -6,18 +6,9 @@ export = system
 [savedsearches]
 owner = admin
 
-## Correlation Searches
-[correlationsearches]
-access = read : [ * ], write : [ * ]
-
-[governance]
-access = read : [ * ], write : [ * ]
-
-## Managed Configurations
-[managed_configurations]
-access = read : [ * ], write : [ * ]
-
-## Postprocess
-[postprocess]
-access = read : [ * ], write : [ * ]
-
+## DO NOT EXPORT THE [default] stanza, and the [default] stanza alone.
+## Because this comes later in the default.meta file, it overrides the
+## export = system for [] above.
+## We MAY want to consider change the access, like making this stanza read-only or similar
+[savedsearches/default]
+export = none

pyproject.toml

@@ -1,7 +1,7 @@
 [tool.poetry]
 name = "contentctl"
 
-version = "5.5.10"
+version = "5.5.11"
 
 description = "Splunk Content Control Tool"
 authors = ["STRT <research@splunk.com>"]