From 0a0c5d9dc64f5a0326d06bd8ed5ad0ffb8e70b74 Mon Sep 17 00:00:00 2001
From: ljstella <lstella@splunk.com>
Date: Wed, 25 Jun 2025 16:40:42 -0500
Subject: [PATCH 01/10] Starting default stanza

---
 contentctl/output/templates/savedsearches_detections.j2 | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/contentctl/output/templates/savedsearches_detections.j2 b/contentctl/output/templates/savedsearches_detections.j2
index d1ef66b9..d5f973c1 100644
--- a/contentctl/output/templates/savedsearches_detections.j2
+++ b/contentctl/output/templates/savedsearches_detections.j2
@@ -1,10 +1,13 @@
 ### {{app.label}} DETECTIONS ###
 
+[ default ]
+disabled = 1
+
 {% for detection in objects %}
 [{{ detection.get_conf_stanza_name(app) }}]
 action.escu = 0
 action.escu.enabled = 1
-description = {{ detection.status_aware_description | escapeNewlines() }} 
+description = {{ detection.status_aware_description | escapeNewlines() }}
 action.escu.mappings = {{ detection.mappings | tojson }}
 action.escu.data_models = {{ detection.datamodel | tojson }}
 action.escu.eli5 = {{ detection.status_aware_description | escapeNewlines() }}

From f510a6b4d6fde485c508534e43cadc64228e55f9 Mon Sep 17 00:00:00 2001
From: ljstella <lstella@splunk.com>
Date: Wed, 25 Jun 2025 16:51:23 -0500
Subject: [PATCH 02/10] Add search to default stanza

---
 contentctl/output/templates/savedsearches_detections.j2 | 1 +
 1 file changed, 1 insertion(+)

diff --git a/contentctl/output/templates/savedsearches_detections.j2 b/contentctl/output/templates/savedsearches_detections.j2
index d5f973c1..f522ff7f 100644
--- a/contentctl/output/templates/savedsearches_detections.j2
+++ b/contentctl/output/templates/savedsearches_detections.j2
@@ -2,6 +2,7 @@
 
 [ default ]
 disabled = 1
+search = eval text = "This search was removed in a previous release, or is otherwise not present."
 
 {% for detection in objects %}
 [{{ detection.get_conf_stanza_name(app) }}]

From f0484c8e22e770c2432995925b32009eec3064e9 Mon Sep 17 00:00:00 2001
From: ljstella <lstella@splunk.com>
Date: Tue, 1 Jul 2025 08:35:15 -0500
Subject: [PATCH 03/10] updated default search

---
 contentctl/output/templates/savedsearches_detections.j2 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/contentctl/output/templates/savedsearches_detections.j2 b/contentctl/output/templates/savedsearches_detections.j2
index f522ff7f..734190b5 100644
--- a/contentctl/output/templates/savedsearches_detections.j2
+++ b/contentctl/output/templates/savedsearches_detections.j2
@@ -2,7 +2,7 @@
 
 [ default ]
 disabled = 1
-search = eval text = "This search was removed in a previous release, or is otherwise not present."
+search = | makeresults | eval text = "This search was removed in a previous release, or is otherwise not present."
 
 {% for detection in objects %}
 [{{ detection.get_conf_stanza_name(app) }}]

From 52ffa50f84de1a91b81c83cad74e8ba164fe5c08 Mon Sep 17 00:00:00 2001
From: ljstella <lstella@splunk.com>
Date: Wed, 16 Jul 2025 11:49:28 -0500
Subject: [PATCH 04/10] Add default stanza for macro

---
 contentctl/output/templates/macros.j2 | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/contentctl/output/templates/macros.j2 b/contentctl/output/templates/macros.j2
index f8136962..eab06bf0 100644
--- a/contentctl/output/templates/macros.j2
+++ b/contentctl/output/templates/macros.j2
@@ -1,4 +1,8 @@
 
+[defaullt]
+definition = search *
+description = Default Macro definition, if this is being used, a macro you relied on had its definition removed.
+
 {% for macro in objects %}
 [{{ macro.name }}{% if macro.arguments | length > 0 %}({{ macro.arguments|length }}){% endif %}]
 {% if macro.arguments | length > 0 %}

From 760b26f6b581fcdf12a54479eeacaacd10fc6b88 Mon Sep 17 00:00:00 2001
From: ljstella <lstella@splunk.com>
Date: Wed, 16 Jul 2025 13:58:51 -0500
Subject: [PATCH 05/10] Update macro default

---
 contentctl/output/templates/macros.j2 | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/contentctl/output/templates/macros.j2 b/contentctl/output/templates/macros.j2
index eab06bf0..3b8b7bf3 100644
--- a/contentctl/output/templates/macros.j2
+++ b/contentctl/output/templates/macros.j2
@@ -1,7 +1,7 @@
 
-[defaullt]
+[default]
 definition = search *
-description = Default Macro definition, if this is being used, a macro you relied on had its definition removed.
+description = Default Macro definition, if this is being used, a macro you relied on had its description removed.
 
 {% for macro in objects %}
 [{{ macro.name }}{% if macro.arguments | length > 0 %}({{ macro.arguments|length }}){% endif %}]

From 68d9b20a107589037209b6deb23b2bf0cda47132 Mon Sep 17 00:00:00 2001
From: ljstella <lstella@splunk.com>
Date: Wed, 16 Jul 2025 15:00:12 -0500
Subject: [PATCH 06/10] revert default macro change

---
 contentctl/output/templates/macros.j2 | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/contentctl/output/templates/macros.j2 b/contentctl/output/templates/macros.j2
index 3b8b7bf3..f8136962 100644
--- a/contentctl/output/templates/macros.j2
+++ b/contentctl/output/templates/macros.j2
@@ -1,8 +1,4 @@
 
-[default]
-definition = search *
-description = Default Macro definition, if this is being used, a macro you relied on had its description removed.
-
 {% for macro in objects %}
 [{{ macro.name }}{% if macro.arguments | length > 0 %}({{ macro.arguments|length }}){% endif %}]
 {% if macro.arguments | length > 0 %}

From df936d129ec1023673428a61160cc7f7effb128b Mon Sep 17 00:00:00 2001
From: ljstella <lstella@splunk.com>
Date: Mon, 6 Oct 2025 11:06:11 -0400
Subject: [PATCH 07/10] change stanza name

---
 contentctl/output/templates/savedsearches_detections.j2 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/contentctl/output/templates/savedsearches_detections.j2 b/contentctl/output/templates/savedsearches_detections.j2
index 734190b5..1099ac16 100644
--- a/contentctl/output/templates/savedsearches_detections.j2
+++ b/contentctl/output/templates/savedsearches_detections.j2
@@ -1,6 +1,6 @@
 ### {{app.label}} DETECTIONS ###
 
-[ default ]
+[default]
 disabled = 1
 search = | makeresults | eval text = "This search was removed in a previous release, or is otherwise not present."
 

From 0bbea43a0cbb997c5e07acb62da15c56d4e51db0 Mon Sep 17 00:00:00 2001
From: ljstella <lstella@splunk.com>
Date: Mon, 6 Oct 2025 11:08:47 -0400
Subject: [PATCH 08/10] Add default description

---
 contentctl/output/templates/savedsearches_detections.j2 | 1 +
 1 file changed, 1 insertion(+)

diff --git a/contentctl/output/templates/savedsearches_detections.j2 b/contentctl/output/templates/savedsearches_detections.j2
index 1099ac16..8c800d72 100644
--- a/contentctl/output/templates/savedsearches_detections.j2
+++ b/contentctl/output/templates/savedsearches_detections.j2
@@ -2,6 +2,7 @@
 
 [default]
 disabled = 1
+description = "This search was removed in a previous release, or is otherwise not present."
 search = | makeresults | eval text = "This search was removed in a previous release, or is otherwise not present."
 
 {% for detection in objects %}

From 2b36ff12cbceb99069dddf2d7ad38e65f8146ede Mon Sep 17 00:00:00 2001
From: ljstella <lstella@splunk.com>
Date: Thu, 4 Dec 2025 13:51:17 -0500
Subject: [PATCH 09/10] Update default app_template to include new default.meta
 export settings

---
 .../app_template/metadata/default.meta        | 21 ++++++-------------
 1 file changed, 6 insertions(+), 15 deletions(-)

diff --git a/contentctl/templates/app_template/metadata/default.meta b/contentctl/templates/app_template/metadata/default.meta
index 7d137480..37803e14 100644
--- a/contentctl/templates/app_template/metadata/default.meta
+++ b/contentctl/templates/app_template/metadata/default.meta
@@ -6,18 +6,9 @@ export = system
 [savedsearches]
 owner = admin
 
-## Correlation Searches
-[correlationsearches]
-access = read : [ * ], write : [ * ]
-
-[governance]
-access = read : [ * ], write : [ * ]
-
-## Managed Configurations
-[managed_configurations]
-access = read : [ * ], write : [ * ]
-
-## Postprocess
-[postprocess]
-access = read : [ * ], write : [ * ]
-
+## DO NOT EXPORT THE [default] stanza, and the [default] stanza alone.
+## Because this comes later in the default.meta file, it overrides the
+## export = system for [] above.
+## We MAY want to consider change the access, like making this stanza read-only or similar
+[savedsearches/Default]
+export = none

From 0bae5ccb40afc0422560ad72824285d58dd93309 Mon Sep 17 00:00:00 2001
From: ljstella <lstella@splunk.com>
Date: Mon, 15 Dec 2025 10:14:46 -0500
Subject: [PATCH 10/10] Casing

---
 contentctl/templates/app_template/metadata/default.meta | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/contentctl/templates/app_template/metadata/default.meta b/contentctl/templates/app_template/metadata/default.meta
index 37803e14..51a8cf5c 100644
--- a/contentctl/templates/app_template/metadata/default.meta
+++ b/contentctl/templates/app_template/metadata/default.meta
@@ -10,5 +10,5 @@ owner = admin
 ## Because this comes later in the default.meta file, it overrides the
 ## export = system for [] above.
 ## We MAY want to consider change the access, like making this stanza read-only or similar
-[savedsearches/Default]
+[savedsearches/default]
 export = none