I'm trying to disable all queries from Splunk towards the internet. We have Splunk on Linux, on a closed network, and traffic towards the internet is only creating noise. I've already sat updateCheckerBaseURL=0 in web.conf and remote_tab=false in app.conf, but still there seems to be some traffic from Splunk trying to reach the internet.
Is there any other settings I can disable, or is there any smart way to troubleshoot exactly what Splunk services are trying to reach internet, why, and how to turn them off?
For us it was the telemetry reporting, that tried to "get out".
Have you updated updateCheckerBaseURL=0 in local/app.conf for all the apps in etc/apps or one off in the etc/system/local/app.conf in your Search head(s)? Sometime, we may have to do this in all apps as anyone could try to reach internet.
Have you tried something like wireshark to look at the traffic or run it through a proxy so see what is going on?