From 0a0c5d9dc64f5a0326d06bd8ed5ad0ffb8e70b74 Mon Sep 17 00:00:00 2001
From: ljstella <lstella@splunk.com>
Date: Wed, 25 Jun 2025 16:40:42 -0500
Subject: [PATCH 1/6] Starting default stanza

---
 contentctl/output/templates/savedsearches_detections.j2 | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/contentctl/output/templates/savedsearches_detections.j2 b/contentctl/output/templates/savedsearches_detections.j2
index d1ef66b9..d5f973c1 100644
--- a/contentctl/output/templates/savedsearches_detections.j2
+++ b/contentctl/output/templates/savedsearches_detections.j2
@@ -1,10 +1,13 @@
 ### {{app.label}} DETECTIONS ###
 
+[ default ]
+disabled = 1
+
 {% for detection in objects %}
 [{{ detection.get_conf_stanza_name(app) }}]
 action.escu = 0
 action.escu.enabled = 1
-description = {{ detection.status_aware_description | escapeNewlines() }} 
+description = {{ detection.status_aware_description | escapeNewlines() }}
 action.escu.mappings = {{ detection.mappings | tojson }}
 action.escu.data_models = {{ detection.datamodel | tojson }}
 action.escu.eli5 = {{ detection.status_aware_description | escapeNewlines() }}

From f510a6b4d6fde485c508534e43cadc64228e55f9 Mon Sep 17 00:00:00 2001
From: ljstella <lstella@splunk.com>
Date: Wed, 25 Jun 2025 16:51:23 -0500
Subject: [PATCH 2/6] Add search to default stanza

---
 contentctl/output/templates/savedsearches_detections.j2 | 1 +
 1 file changed, 1 insertion(+)

diff --git a/contentctl/output/templates/savedsearches_detections.j2 b/contentctl/output/templates/savedsearches_detections.j2
index d5f973c1..f522ff7f 100644
--- a/contentctl/output/templates/savedsearches_detections.j2
+++ b/contentctl/output/templates/savedsearches_detections.j2
@@ -2,6 +2,7 @@
 
 [ default ]
 disabled = 1
+search = eval text = "This search was removed in a previous release, or is otherwise not present."
 
 {% for detection in objects %}
 [{{ detection.get_conf_stanza_name(app) }}]

From f0484c8e22e770c2432995925b32009eec3064e9 Mon Sep 17 00:00:00 2001
From: ljstella <lstella@splunk.com>
Date: Tue, 1 Jul 2025 08:35:15 -0500
Subject: [PATCH 3/6] updated default search

---
 contentctl/output/templates/savedsearches_detections.j2 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/contentctl/output/templates/savedsearches_detections.j2 b/contentctl/output/templates/savedsearches_detections.j2
index f522ff7f..734190b5 100644
--- a/contentctl/output/templates/savedsearches_detections.j2
+++ b/contentctl/output/templates/savedsearches_detections.j2
@@ -2,7 +2,7 @@
 
 [ default ]
 disabled = 1
-search = eval text = "This search was removed in a previous release, or is otherwise not present."
+search = | makeresults | eval text = "This search was removed in a previous release, or is otherwise not present."
 
 {% for detection in objects %}
 [{{ detection.get_conf_stanza_name(app) }}]

From 52ffa50f84de1a91b81c83cad74e8ba164fe5c08 Mon Sep 17 00:00:00 2001
From: ljstella <lstella@splunk.com>
Date: Wed, 16 Jul 2025 11:49:28 -0500
Subject: [PATCH 4/6] Add default stanza for macro

---
 contentctl/output/templates/macros.j2 | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/contentctl/output/templates/macros.j2 b/contentctl/output/templates/macros.j2
index f8136962..eab06bf0 100644
--- a/contentctl/output/templates/macros.j2
+++ b/contentctl/output/templates/macros.j2
@@ -1,4 +1,8 @@
 
+[defaullt]
+definition = search *
+description = Default Macro definition, if this is being used, a macro you relied on had its definition removed.
+
 {% for macro in objects %}
 [{{ macro.name }}{% if macro.arguments | length > 0 %}({{ macro.arguments|length }}){% endif %}]
 {% if macro.arguments | length > 0 %}

From 760b26f6b581fcdf12a54479eeacaacd10fc6b88 Mon Sep 17 00:00:00 2001
From: ljstella <lstella@splunk.com>
Date: Wed, 16 Jul 2025 13:58:51 -0500
Subject: [PATCH 5/6] Update macro default

---
 contentctl/output/templates/macros.j2 | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/contentctl/output/templates/macros.j2 b/contentctl/output/templates/macros.j2
index eab06bf0..3b8b7bf3 100644
--- a/contentctl/output/templates/macros.j2
+++ b/contentctl/output/templates/macros.j2
@@ -1,7 +1,7 @@
 
-[defaullt]
+[default]
 definition = search *
-description = Default Macro definition, if this is being used, a macro you relied on had its definition removed.
+description = Default Macro definition, if this is being used, a macro you relied on had its description removed.
 
 {% for macro in objects %}
 [{{ macro.name }}{% if macro.arguments | length > 0 %}({{ macro.arguments|length }}){% endif %}]

From 68d9b20a107589037209b6deb23b2bf0cda47132 Mon Sep 17 00:00:00 2001
From: ljstella <lstella@splunk.com>
Date: Wed, 16 Jul 2025 15:00:12 -0500
Subject: [PATCH 6/6] revert default macro change

---
 contentctl/output/templates/macros.j2 | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/contentctl/output/templates/macros.j2 b/contentctl/output/templates/macros.j2
index 3b8b7bf3..f8136962 100644
--- a/contentctl/output/templates/macros.j2
+++ b/contentctl/output/templates/macros.j2
@@ -1,8 +1,4 @@
 
-[default]
-definition = search *
-description = Default Macro definition, if this is being used, a macro you relied on had its description removed.
-
 {% for macro in objects %}
 [{{ macro.name }}{% if macro.arguments | length > 0 %}({{ macro.arguments|length }}){% endif %}]
 {% if macro.arguments | length > 0 %}