Splunk Enterprise

Seeking Splunk best practices for boolean values

optsplunk
Engager

Just scanning the $SPLUNK_HOME/etc/system/default/*.conf files for boolean values show a huge disparity.  "0" and "1" exceed "true/false" or "True/False" in commonality.  If linted against the .spec files, most of these would fail.  Is there person that needs to see this to get it changed and self-consistent on the default values?  The vendor defaults should be the gold standard to measure against.  Any and all comments and how I might pursue resolution are welcome. 

Labels (3)
0 Karma

ohbuckeyeio
Communicator

I just stumbled upon this post while looking for something semi-unrelated.

FWIW: There are some instances where it must be set to "true" in the .conf files. I had an issue back in Feb where queries were not displaying length of execution in Splunk 9.0.8.  Found a KB article in Splunk support that suggested it might be caused by a setting** in limits.conf that was set to "1" instead of "true".

We changed it to "true" and that fixed it. We did a little digging with the rest API and found that it would return 1/0 for the configs, but when looking at the .confs, they were written as true/false.

**I won't reference the setting so as to not upset the Splunk Gods who may hold support contracts sacred.

0 Karma

optsplunk
Engager

Thank you for the idea... 
Idea created: EID-I-2244

meetmshah
Builder

Perfect, I believe it would be a fair step to do this to avoid confusion for multiple stanzas / parameters. I have voted the idea 🙂

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Splunk treats "true", "True", "TRUE", and "1" as equivalent to a Boolean True value so all of what you see in the docs is correct.  But the point is well made.  We, however, can do nothing about it.  As @meetmshah suggests, https://ideas.splunk.com is the place to bring this up.

---
If this reply helps you, Karma would be appreciated.
0 Karma

meetmshah
Builder

Hello @optsplunk I would suggest you having this available as Idea under https://ideas.splunk.com/ for the Splunk Product team to look over 🙂

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...