[BUG] Disabled searches due to default stanza

[n3w4z4]

If you have a Splunk Support contract, creating a support case for your issue may result in faster resolution.

Describe the bug

A couple days ago, you have merged a commit where you add a default stanza with disabled = 1.
splunk/contentctl#421

That causes that any other saved searches in the system without an explicit disabled setting gets deactivated too.

[default]
disabled = 1
description = "This search was removed in a previous release, or is otherwise not present."
search = | makeresults | eval text = "This search was removed in a previous release, or is otherwise not present."

I've temporarily fixed this with ansible but I'm sure this has affected every client that uses this framework.

Expected behavior

A clear and concise description of what you expected to happen.

Screenshots

If applicable, add screenshots to help explain your problem.

App Version:

• ESCU: [e.g. 3.51.0]
• Splunk Security Essentials: [e.g. 3.5.0]

Additional context

Add any other context about the problem here.

[ljstella]

Hi @n3w4z4 - not sure exactly how you're deploying content, given that you've opened this issue in splunk/security_content rather than in splunk/contentctl.

If you take a look at the other change made in that same PR, you'll see an adjustment to the app_template's metadata/default.meta file. You can also view this same change that we made to this repo (because app_template does not get automatically updated via contentctl) here: #3815

This change to metadata/default.meta specifically prevents the issue you've observed from occurring. Please ensure you make that change as well. I'd also recommend that you pin to a specific version of contentctl and review the changes between updates to avoid this in the future.