Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Seeking Splunk best practices for boolean values

optsplunk
Engager
‎03-27-2024 10:31 AM

Just scanning the $SPLUNK_HOME/etc/system/default/*.conf files for boolean values show a huge disparity.  "0" and "1" exceed "true/false" or "True/False" in commonality.  If linted against the .spec files, most of these would fail.  Is there person that needs to see this to get it changed and self-consistent on the default values?  The vendor defaults should be the gold standard to measure against.  Any and all comments and how I might pursue resolution are welcome. 

Labels (3)
0 Karma
Reply

ohbuckeyeio
Communicator
‎05-07-2024 03:02 PM

I just stumbled upon this post while looking for something semi-unrelated.

FWIW: There are some instances where it must be set to "true" in the .conf files. I had an issue back in Feb where queries were not displaying length of execution in Splunk 9.0.8.  Found a KB article in Splunk support that suggested it might be caused by a setting** in limits.conf that was set to "1" instead of "true".

We changed it to "true" and that fixed it. We did a little digging with the rest API and found that it would return 1/0 for the configs, but when looking at the .confs, they were written as true/false.

**I won't reference the setting so as to not upset the Splunk Gods who may hold support contracts sacred.

0 Karma
Reply

optsplunk
Engager
‎03-27-2024 11:58 AM

Thank you for the idea... 
Idea created: EID-I-2244

Reply

meetmshah
Builder
‎03-27-2024 12:01 PM

Perfect, I believe it would be a fair step to do this to avoid confusion for multiple stanzas / parameters. I have voted the idea 🙂

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-27-2024 11:57 AM

Splunk treats "true", "True", "TRUE", and "1" as equivalent to a Boolean True value so all of what you see in the docs is correct.  But the point is well made.  We, however, can do nothing about it.  As @meetmshah suggests, https://ideas.splunk.com is the place to bring this up.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

meetmshah
Builder
‎03-27-2024 11:45 AM

Hello @optsplunk I would suggest you having this available as Idea under https://ideas.splunk.com/ for the Splunk Product team to look over 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...