Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk 10.2.x | RHEL 8 | SPL2 disable or exposure

NullZero
Communicator
‎03-13-2026 09:19 AM

IHAC that is eager to take advantage of the new Splunk Enterprise 10.2 release, they are currently on 10.0.3 and have already dealt with all the pain of the KVstore migrations 4.x > 7.x etc. Their underlying platform is RHEL 8 and I note the references that explain that SPL2 is not supported using RHEL 8.

The client rightly asks if SPL2 can be disabled OR if there is a stability exposure here should a user attempt to run SPL2. I note the guide that custom SPL2 can be managed and disabled etc but for default apps this is additional work.

Does anybody have experience or guidance in this use case please?

Labels (1)
Labels
0 Karma
Reply

NullZero
Communicator
‎03-25-2026 02:14 PM

Hi @livehybrid thanks for your reply and apologies if I was slow to acknowledge; I did implement this at the client but it still shows up in search and reporting, there has been no impact as when I simulate clicking on SPL2, it just waits a few seconds and then pops up with a failed to load module.

So, I can't quite accept as a solution but I recognise the helpfulness.

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎03-13-2026 03:52 PM

Hi @NullZero 

You can set the following in web-features.conf - This disabled the SPL2 dropdown in search and the options in Dashboard Studio.

[feature:spl2]
enable_spl2 = false

[feature:dashboard_studio]
activate_spl2_datasources = false

There is also a limits.conf setting but I dont think its required if the above 2 settings are applied but you could add for belt and braces? This prevents SPL2 searches being run from any origin.

# limits.conf
[spl2]
origin = none

  However - these changes do not remove the 'Modules' link in the Settings dropdown however it does provide a message when the SPL2 modules page is loaded to state it has been disabled.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

 

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...