Splunk Enterprise

How to turn off all Splunk queries towards the internet?

hettervi
Builder

I'm trying to disable all queries from Splunk towards the internet. We have Splunk on Linux, on a closed network, and traffic towards the internet is only creating noise. I've already sat updateCheckerBaseURL=0 in web.conf and remote_tab=false in app.conf, but still there seems to be some traffic from Splunk trying to reach the internet.

Is there any other settings I can disable, or is there any smart way to troubleshoot exactly what Splunk services are trying to reach internet, why, and how to turn them off?

Labels (1)
Tags (2)
0 Karma

fuebel
Explorer

lakshman239
SplunkTrust
SplunkTrust

Have you updated updateCheckerBaseURL=0  in local/app.conf for all the apps  in etc/apps or one off in the etc/system/local/app.conf in your Search head(s)?  Sometime, we may have to do this in all apps as anyone could try to reach internet.

ITWhisperer
SplunkTrust
SplunkTrust

Have you tried something like wireshark to look at the traffic or run it through a proxy so see what is going on?

Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...