- Splunk Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- disable sinkhole
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a default inputs.conf configuration in splunk server as below.
[batch:///source=/opt/splunk/var/spool/splunk/]
move_policy = sinkhole
Can I disable it will it have any adverse affect to my splunk server. The thing is there are some sample logs coming into this directory and we are unable find the script or the guy who is doing it.
Also can I put disable=true in this stanza will it work or should I comment the entire thing.
Regards,
Harish
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found the solution at last. These events were generated by an app by splunk SA-Eventgen. We were using PCI compliance app and while installation it seems this app was configured by default. After disabling the app these sample logs disappeared.
I found the solution in the Splunk security app FAQs.
http://docs.splunk.com/Documentation/ES/2.4/User/FAQ#How_do_I_manually_enable_eventgen.3F
But the same is not included in PCI compliance app documentation. Hope splunk sees this and update the PCI compliance app documentation.
Regards,
Harish
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found the solution at last. These events were generated by an app by splunk SA-Eventgen. We were using PCI compliance app and while installation it seems this app was configured by default. After disabling the app these sample logs disappeared.
I found the solution in the Splunk security app FAQs.
http://docs.splunk.com/Documentation/ES/2.4/User/FAQ#How_do_I_manually_enable_eventgen.3F
But the same is not included in PCI compliance app documentation. Hope splunk sees this and update the PCI compliance app documentation.
Regards,
Harish
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't think that you should disable the input. I believe that it's used by Splunk itself for some operations.
Setting move_policy to something other than sinkhole is not supported, according to the docs on inputs.conf;
http://docs.splunk.com/Documentation/Splunk/5.0.3/admin/Inputsconf
If you know the name of the file that gets created, you could probably look through /opt/splunk/ to see if you can find a script or saved summary search that creates such files.
Or in some app:
http://docs.splunk.com/Documentation/Splunk/5.0.3/Admin/Eventgenconf
Or scheduled from an external script;
http://docs.splunk.com/Documentation/Splunk/5.0.3/Data/MonitorfilesanddirectoriesusingtheCLI#Example...
Maybe it can also come from an external machine through a REST api call. That is just my guessing. Then there could perhaps be something to be found in the splunk web service log in the _internal index.
Hope this helps a little bit,
K
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
