Monitoring Splunk

Can I disable _internal indexes from Splunk Web? Getting error "cannot disable idx=_internal, is internal."

Motivator

Currently _internal is enabled, but we wanted to disable this from Splunk Web? I tried to do so by getting into splunk -->settings -->Data -->Indexes --> _internal --> status --Disable. When I disabled it, it threw out the following error:

Error occurred attempting to disable _internal: **In handler 'indexes': cannot disable idx=_internal, is internal. 

Kindly let us know how to disable this index from the search.

thanks in Advance.

0 Karma

Motivator

No, you cannot and should not disable _internal indexes. You need that information for troubleshooting and such things.

Best practice is to configure your search heads to forward to your indexers and the required internal events will all go to the indexers instead.....

Your etc\system\local\outputs.conf should look something like this....

[tcpout]
defaultGroup = default-autolb-group
indexAndForward = 0

[tcpout:default-autolb-group]
server = your_indexer:9997
useACK=true

[tcpout-server://your_indexer:9997]

Ultra Champion

Similar question at unable to delete indexes

However, I don't see a solution in this thread.

One thing we did recently was to change the retention period of the _internal index, which doesn't answer your question ; -)

Another idea at Is it possible to disable the main index?

it's by woodcock who said -

alt text

0 Karma

Builder

I think you can't disable insternal indexes. You can prohibit someone from searching it with the user roles, just allow the user roles to access the non-internal indexes.

0 Karma

Motivator

Yep. _internal contains all kinds of helpful troubleshooting data. I can't imagine why you would want too disable it. If its growing to large, limit the size or retention period. If you don't want some users to be able to search it, do as gfreitas says and remove their access. Its configured in the user's role.

http://docs.splunk.com/Documentation/Splunk/6.4.1/Security/SetupuserauthenticationwithSplunk

Motivator

thanks Jeremiah, though its enabled but when I tried to execute the below query to find out indexer and forwarder communication using SSL or not it showing no result found.

index=_internal source=*metrics.log* group=tcpin_connections | dedup hostname | table hostname sourceIp fwdType version destPort ssl

even tried to execute the index=_internal source=*metrics.log* it did not fetch any output. Time Frame set as last 7 days.

Do guide me if there is any other option to figure out whether the indexer and forwarders are using default root SSL certificate or not.
thanks in Advance

0 Karma

Motivator

okay, initially _internal indexes was disabled, but I had enabled it to test the below SPL query and again when tried to disable the index it was throwing the error.

Query to find out indexer and forwarder communication using SSL or not

index=_internal source=*metrics.log* group=tcpin_connections | dedup hostname | table hostname sourceIp fwdType version destPort ssl

so is there a way to disable the _internal indexes from this search portal? thanks in advance

0 Karma