Installation
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Configuration Change Audit- What is the experimental feature?

NDabhi21
Explorer
‎07-17-2022 05:39 AM

Hi Team, 

Can some one help me who already enabled below attribute ([config_change_audit] in Version 8.2.4 or 8.2.7 . below caution was mentioned in document.

* CAUTION: This setting is experimental and is related to a feature that is still under development. Using the setting might increase resource usage.

What is the Experimental feature ?

What will risk to the environment a part from resource usage?

And if its enabled in environment what will be resource utilizations ? 

================================================================================================================

[config_change_audit]
disabled = <boolean>
* Whether or not splunkd writes configuration changes to the 
  configuration change log at $SPLUNK_HOME/var/log/splunk/configuration_change.log.
* If set to "false", configuration changes are captured in
  $SPLUNK_HOME/var/log/splunk/configuration_change.log.
* If set to "true", configuration changes are not captured
  in $SPLUNK_HOME/var/log/splunk/configuration_change.log.
* Default: true
mode = [auto|track-only]
* Set to "auto" or "track-only" to get log of .conf file changes
  under $SPLUNK_HOME/etc/system, $SPLUNK_HOME/etc/apps,
  $SPLUNK_HOME/etc/users, $SPLUNK_HOME/etc/slave-apps or changes to $SPLUNK_HOME/etc/instance.cfg.
* The values "auto" and "track-only" are identical in their effects. Set mode to "auto"
  to auto-enroll this deployment into all the latest features.
* CAUTION: This setting is experimental and is related to a feature that
  is still under development. Using the setting might increase resource usage.
* Default: auto
==========================================================================================================

 

 

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-17-2022 06:17 AM

I didn't voluntarily enable those options but as you see they are enabled by default and I do use a version recent enough to have it I suppose I can say I'm using it 😉

The disclaimer is pretty standard one - the feature is still in development state so it might change its behaviour in subsequent releases or even be removed completely. In this case, since the config changes happen only from time to time I wouldn't expect too much of a performance impact but if you want to be completely safe, just disable the functionality.

0 Karma
Reply

NDabhi21
Explorer
‎07-17-2022 06:25 AM

Hi @PickleRick .

Thanks for the quick reply.

Currently attribute in disable state but we would like to enable it, to track changes in environment .

Hence i would like to know impact/risk by enabling this.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...