topic Re: Can I disable _internal indexes from Splunk Web? Getting error "cannot disable idx=_internal, is internal." in Monitoring Splunk

Can I disable _internal indexes from Splunk Web? Getting error "cannot disable idx=_internal, is internal."

Hemnaath — Fri, 08 Jul 2016 13:45:14 GMT

Currently _internal is enabled, but we wanted to disable this from Splunk Web? I tried to do so by getting into splunk -->settings -->Data -->Indexes --> _internal --> status --Disable. When I disabled it, it threw out the following error:

Error occurred attempting to disable _internal: **In handler 'indexes': cannot disable idx=_internal, is internal.

Kindly let us know how to disable this index from the search.

thanks in Advance.

Re: Can I disable _internal indexes from Splunk Web? Getting error "cannot disable idx=_internal, is internal."

gfreitas — Fri, 08 Jul 2016 13:54:24 GMT

I think you can't disable insternal indexes. You can prohibit someone from searching it with the user roles, just allow the user roles to access the non-internal indexes.

Re: Can I disable _internal indexes from Splunk Web? Getting error "cannot disable idx=_internal, is internal."

ddrillic — Fri, 08 Jul 2016 14:07:05 GMT

Similar question at unable to delete indexes

However, I don't see a solution in this thread.

One thing we did recently was to change the retention period of the _internal index, which doesn't answer your question ; -)

Another idea at Is it possible to disable the main index?

it's by woodcock who said -

Re: Can I disable _internal indexes from Splunk Web? Getting error "cannot disable idx=_internal, is internal."

Hemnaath — Fri, 08 Jul 2016 14:18:39 GMT

okay, initially _internal indexes was disabled, but I had enabled it to test the below SPL query and again when tried to disable the index it was throwing the error.

Query to find out indexer and forwarder communication using SSL or not

index=_internal source=*metrics.log* group=tcpin_connections | dedup hostname | table hostname sourceIp fwdType version destPort ssl

so is there a way to disable the _internal indexes from this search portal? thanks in advance

Re: Can I disable _internal indexes from Splunk Web? Getting error "cannot disable idx=_internal, is internal."

Jeremiah — Fri, 08 Jul 2016 14:26:56 GMT

Yep. _internal contains all kinds of helpful troubleshooting data. I can't imagine why you would want too disable it. If its growing to large, limit the size or retention period. If you don't want some users to be able to search it, do as gfreitas says and remove their access. Its configured in the user's role.

http://docs.splunk.com/Documentation/Splunk/6.4.1/Security/SetupuserauthenticationwithSplunk

Re: Can I disable _internal indexes from Splunk Web? Getting error "cannot disable idx=_internal, is internal."

lycollicott — Fri, 08 Jul 2016 16:59:59 GMT

No, you cannot and should not disable _internal indexes. You need that information for troubleshooting and such things.

Best practice is to configure your search heads to forward to your indexers and the required internal events will all go to the indexers instead.....

Your etc\system\local\outputs.conf should look something like this....

[tcpout]
defaultGroup = default-autolb-group
indexAndForward = 0

[tcpout:default-autolb-group]
server = your_indexer:9997
useACK=true

[tcpout-server://your_indexer:9997]

Re: Can I disable _internal indexes from Splunk Web? Getting error "cannot disable idx=_internal, is internal."

Hemnaath — Mon, 11 Jul 2016 12:57:37 GMT

thanks Jeremiah, though its enabled but when I tried to execute the below query to find out indexer and forwarder communication using SSL or not it showing no result found.

index=_internal source=*metrics.log* group=tcpin_connections | dedup hostname | table hostname sourceIp fwdType version destPort ssl

even tried to execute the index=_internal source=*metrics.log* it did not fetch any output. Time Frame set as last 7 days.

Do guide me if there is any other option to figure out whether the indexer and forwarders are using default root SSL certificate or not.
thanks in Advance