Splunk Enterprise

Seeking Splunk best practices for boolean values

optsplunk
Engager

Just scanning the $SPLUNK_HOME/etc/system/default/*.conf files for boolean values show a huge disparity.  "0" and "1" exceed "true/false" or "True/False" in commonality.  If linted against the .spec files, most of these would fail.  Is there person that needs to see this to get it changed and self-consistent on the default values?  The vendor defaults should be the gold standard to measure against.  Any and all comments and how I might pursue resolution are welcome. 

Labels (3)
0 Karma

ohbuckeyeio
Communicator

I just stumbled upon this post while looking for something semi-unrelated.

FWIW: There are some instances where it must be set to "true" in the .conf files. I had an issue back in Feb where queries were not displaying length of execution in Splunk 9.0.8.  Found a KB article in Splunk support that suggested it might be caused by a setting** in limits.conf that was set to "1" instead of "true".

We changed it to "true" and that fixed it. We did a little digging with the rest API and found that it would return 1/0 for the configs, but when looking at the .confs, they were written as true/false.

**I won't reference the setting so as to not upset the Splunk Gods who may hold support contracts sacred.

0 Karma

optsplunk
Engager

Thank you for the idea... 
Idea created: EID-I-2244

meetmshah
Contributor

Perfect, I believe it would be a fair step to do this to avoid confusion for multiple stanzas / parameters. I have voted the idea 🙂

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Splunk treats "true", "True", "TRUE", and "1" as equivalent to a Boolean True value so all of what you see in the docs is correct.  But the point is well made.  We, however, can do nothing about it.  As @meetmshah suggests, https://ideas.splunk.com is the place to bring this up.

---
If this reply helps you, Karma would be appreciated.
0 Karma

meetmshah
Contributor

Hello @optsplunk I would suggest you having this available as Idea under https://ideas.splunk.com/ for the Splunk Product team to look over 🙂

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...