Installation
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Configuration Change Audit- What is the experimental feature?

NDabhi21
Explorer
‎07-17-2022 05:39 AM

Hi Team, 

Can some one help me who already enabled below attribute ([config_change_audit] in Version 8.2.4 or 8.2.7 . below caution was mentioned in document.

* CAUTION: This setting is experimental and is related to a feature that is still under development. Using the setting might increase resource usage.

What is the Experimental feature ?

What will risk to the environment a part from resource usage?

And if its enabled in environment what will be resource utilizations ? 

================================================================================================================

[config_change_audit]
disabled = <boolean>
* Whether or not splunkd writes configuration changes to the 
  configuration change log at $SPLUNK_HOME/var/log/splunk/configuration_change.log.
* If set to "false", configuration changes are captured in
  $SPLUNK_HOME/var/log/splunk/configuration_change.log.
* If set to "true", configuration changes are not captured
  in $SPLUNK_HOME/var/log/splunk/configuration_change.log.
* Default: true
mode = [auto|track-only]
* Set to "auto" or "track-only" to get log of .conf file changes
  under $SPLUNK_HOME/etc/system, $SPLUNK_HOME/etc/apps,
  $SPLUNK_HOME/etc/users, $SPLUNK_HOME/etc/slave-apps or changes to $SPLUNK_HOME/etc/instance.cfg.
* The values "auto" and "track-only" are identical in their effects. Set mode to "auto"
  to auto-enroll this deployment into all the latest features.
* CAUTION: This setting is experimental and is related to a feature that
  is still under development. Using the setting might increase resource usage.
* Default: auto
==========================================================================================================

 

 

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-17-2022 06:17 AM

I didn't voluntarily enable those options but as you see they are enabled by default and I do use a version recent enough to have it I suppose I can say I'm using it 😉

The disclaimer is pretty standard one - the feature is still in development state so it might change its behaviour in subsequent releases or even be removed completely. In this case, since the config changes happen only from time to time I wouldn't expect too much of a performance impact but if you want to be completely safe, just disable the functionality.

0 Karma
Reply

NDabhi21
Explorer
‎07-17-2022 06:25 AM

Hi @PickleRick .

Thanks for the quick reply.

Currently attribute in disable state but we would like to enable it, to track changes in environment .

Hence i would like to know impact/risk by enabling this.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...