Personally I prefer to outright disable the kvstore, at least until Splunk gets some sort of coherent setup for it. The way the whole thing is implemented still feels a bit like a cheap hack. In server.conf, you can set:
[kvstore] disabled = true
That said, it appears that mongod is executed explicitly from splunkd, so if you actually need it, then unless there's some kind of undocumented way to configure it, it's going to be difficult to fix directly.
It should be possible to work around with a shell script, but it would fall under the category of extremely unsupported.
If somebody wants to come along and downvote this as a bad idea, feel free, but please also provide a viable solution if you do. I'm sure I'm not the only one who'd like to see a clean fix.
#!/bin/sh # # Wrapper script for Splunk internal mongodb (aka kvstore) instance # # Disclaimer: This is an awful hack and EXTREMELY UNSUPPORTED. Don't come to me or to Splunk if it breaks everything. # # To use: # cd /opt/splunk/bin # mv -v mongod mongod.bin # ln -s mongod-wrapper.sh mongod # # Splunk will then execute the shell script instead of the default. # Splunk will also throw InstalledFilesHashChecker warnings in splunkd.log # This may also prevent Splunk's normal init scripts from shutting mongodb down correctly. # ADD_PARAMS="--sslCAFile /opt/splunk/etc/auth/rootCA.pem --bind_ip 127.0.0.1 --sslPEMKeyFile=/opt/splunk/etc/auth/splunk-mongodb.pem --sslMode requireSSL --sslAllowConnectionsWithoutCertificates" echo $0.bin $1 $2 $3 $4 $5 $6 $7 $8 $9 $ADD_PARAMS > /tmp/mongod.cmdline exec $0.bin $1 $2 $3 $4 $5 $6 $7 $8 $9 $ADD_PARAMS