Splunk Data Fabric Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to check if DFS is enabled in Splunk Enterprise in regards to Log4J (CVE-2021-44228)

Rafiuddin
Engager
‎12-13-2021 05:59 PM

Hi Guys,
I am quite new to splunk. I was looking around to see any splunk documents pertaining to Data Fabric Search (DFS) as there is an impact since it leverages Log4j. However, I can't seem to find how to check if my Splunk Enterprise is using it.

Is there a setting that I can check from SearchHead, Indexer, etc if DFS is enabled? 

Also, does it mean if I did not install DFS Manager App, I am not using the DFS functionality?

Thank you,
Rafiuddin

Labels (1)
Labels
Reply
1 Solution
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎12-13-2021 09:37 PM

hi @Rafiuddin,

1. You can check disabled=false in server.conf.

 

[dfs]

disabled = <boolean>
* When set to 'false' for the [dfs] stanza, this setting enables data fabric
  search functionality for this instance.
* A 'false' setting causes the Splunk software to start the DFSMaster Java
  process in a separate process. This process is central to Data Fabric Search
  funtionality.
* Default: true

 

2. To check if DFS is in use you can run the below query. If it returns results then DFS is enabled.

 

| history 
| search search=*dfsjob* 
|  rex field=search "(?P<dfs_cmd>\|\s*dfsjob)" 
| search dfs_cmd=* and search!=*eval* 
| where len(dfs_cmd) > 0

 

View solution in original post

Reply
Solved! Jump to solution

Yemi_Splunk
Engager
‎12-20-2021 09:26 AM

You can also use this:

https://<myonpremsplunkurl.com:8089/services/server/info

You will be prompted to login from the browser. Login. If DFS is enabled, it will dfs_enable 1, if not enabled, it will show dfs_enabled 0.

dfs_enabled0
eai:acl
app 
can_list1
can_write1
modifiable0



Cheers

Reply
Solved! Jump to solution

sybilla
Engager
‎12-16-2021 03:15 AM

Please use:

| rest /services/configs/conf-server/dfs | table title,disabled

Reply
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎12-13-2021 09:37 PM

hi @Rafiuddin,

1. You can check disabled=false in server.conf.

 

[dfs]

disabled = <boolean>
* When set to 'false' for the [dfs] stanza, this setting enables data fabric
  search functionality for this instance.
* A 'false' setting causes the Splunk software to start the DFSMaster Java
  process in a separate process. This process is central to Data Fabric Search
  funtionality.
* Default: true

 

2. To check if DFS is in use you can run the below query. If it returns results then DFS is enabled.

 

| history 
| search search=*dfsjob* 
|  rex field=search "(?P<dfs_cmd>\|\s*dfsjob)" 
| search dfs_cmd=* and search!=*eval* 
| where len(dfs_cmd) > 0

 

Reply
Solved! Jump to solution

Rafiuddin
Engager
‎12-14-2021 09:05 PM

Thank you @manjunathmeti !

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...