FYI, discovered that in 6.5.1 Splunk is now placing the burden of checking whether it is up to date on the client rather than the server. So, since most client machines have access to the internet, lots of interesting information gets passed back to Splunk.. including:
Any associated Splunk Answers user/cookie information
All Splunk role's on the server
GUID's of Splunk Licenses on the server
We are observing the request go to https://quickdraw.splunk.com, and we have 'updateCheckerBaseURL = 0' in web.conf. The request to quickdraw.splunk.com only occurs after a successful login.
If anyone knows how to turn off this behavior, it would be greatly appreciated.
The information that Splunk collects if you opt in to share performance data is documented in Share performance data in the Admin Manual. This topic also explains what data is not collected, which node in your deployment runs the searches to collect the data, and how to opt in or out.
As stated in my original post, this still occurs while both
are set to disabled.
Additionally, the page says nothing about the inclusion of reporting the names of configured roles to splunk.
Indeed. We are doing some research here to get the details.