Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

New Splunk Assist Logging is Undocumented

TheWoodRanger
Explorer
‎06-23-2022 07:47 AM

After install of a new Enterprise 9.0 instance, there's a lot of new logging appearing in _internal.

Notably, this log line is being generated every 15 seconds and there's no clear indication in documentation how to disable it.

 

 

2022-06-23 09:25:05,957 INFO [assist::supervisor_modular_input.py] [context] [build_supervisor_secrets] [4932] Secret load failed, key=tenant_id, error=[HTTP 404] https://127.0.0.1:8090/servicesNS/nobody/splunk_assist/storage/passwords/tenant_id?output_mode=json

 

 

source = D:\Splunk\var\log\splunk\splunk_assist_supervisor_modular_input.log
sourcetype = splunk_assist_uiassets_modular_input.log*


This is a substantial increase in overall volume of logs with "error" in them, not to mention the rest of the logging related to these new "assist supervisor" processes. 
splunkd.log is flooded with messages from instance_id_modular_input.py executing.

 

The Splunk Assist documentation (https://docs.splunk.com/Documentation/Splunk/9.0.0/DMC/AssistIntro) has no information on how to adjust the log level or disable specific components.

This is on an instance *without* a Splunk Assist activation code installed, meaning this is generating at this volume out-of-box.

 

It's incredibly frustrating that searching this log file name "splunk_assist_uiassets_modular_input.log" returns 0 results in all of Splunk Docs.

How is this useful if there's no information on what to do with it, and why am I paying more for Cloud Compute to ingest all this additional volume without any instruction for how to configure it?

Any assistance in finding relevant documentation would be appreciated.

Edit: There's a new .conf file for this - assist.conf - that is completely undocumented. Nothing in the configuration file reference doc page.
https://docs.splunk.com/Documentation/Splunk/9.0.0/Admin/assistconf

The inputs generating all this extra logging are located in $SPLUNK_HOME/etc/apps/splunk_assist

Until more information becomes available, I've disabled them:

[supervisor_modular_input://default]
disabled = 1

[instance_id_modular_input://default]
disabled = 1

[uiassets_modular_input://default]
disabled = 1

[selfupdate_modular_input://default]
disabled = 1

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-23-2022 11:03 AM

Submit feedback on the docs page(s) where you think more information is needed.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...