Splunk_Docker/files/splunkbeta/etc/system/default/server.conf

#   Version 9.2.2.20240415
# DO NOT EDIT THIS FILE!
# Changes to default files will be lost on update and are difficult to
# manage and support.
#
# Please make any changes to system defaults by overriding them in
# apps or $SPLUNK_HOME/etc/system/local
# (See "Configuration file precedence" in the web documentation).
#
# To override a specific setting, copy the name of the stanza and
# setting to the file where you wish to override it.
#
# This file contains possible attributes and values to configure SSL
# and HTTP server options.
#


[general]
serverName=$HOSTNAME
sessionTimeout=1h
invalidateSessionTokensOnLogout = false
logoutCacheRefreshInterval = 30s
pass4SymmKey = changeme
pass4SymmKey_minLength = 12
unbiasLanguageForLogging = false
# The following 'allowRemoteLogin' setting controls remote management of your splunk instance.
#  - If set to 'always', all remote logins are allowed.
#  - If set to 'never', only local logins to splunkd will be allowed. Note that this will still allow
#    remote management through splunkweb if splunkweb is on the same server.
#  - If set to 'requireSetPassword' (default behavior):
#     1. In the free license, remote login is disabled.
#     2. In the pro license, remote login is only disabled for the admin user that has not changed their default password
allowRemoteLogin=requireSetPassword

tar_format=gnutar

access_logging_for_phonehome=true
hangup_after_phonehome=false

listenOnIPv6 = no
connectUsingIpVersion = auto

useHTTPServerCompression = true
useHTTPClientCompression = true

defaultHTTPServerCompressionLevel = 6
skipHTTPCompressionAcl = 127.0.0.1 ::1

parallelIngestionPipelines = 1
pipelineSetSelectionPolicy = round_robin
pipelineSetWeightsUpdatePeriod = 30
pipelineSetNumTrackingPeriods = 5
pipelineSetChannelSetCacheSize = 12

instanceType = download
numThreadsForIndexInitExecutor = 16
cleanRemoteStorageByDefault = false

legacyCiphers = decryptOnly
decommission_search_jobs_wait_secs = 0
decommission_search_jobs_min_wait_ratio = 0.15

python.version = force_python3

regex_cache_hiwater = 2500

# Specify whether the search process can have a long lifespan
enable_search_process_long_lifespan = true

# Specify a change in which .conf file(s) can increase the generation
#  of search configuration.
# - those "true" .conf files are allowed
# - otherwise, the "false" or unlisted .conf files are denied
conf_generation_include.alert_actions     = true
conf_generation_include.authentication    = false
conf_generation_include.authorize         = true
conf_generation_include.collections       = true
conf_generation_include.commands          = true
conf_generation_include.datamodels        = true
conf_generation_include.event_renderers   = true
conf_generation_include.eventtypes        = true
conf_generation_include.federated         = true
conf_generation_include.fields            = true
conf_generation_include.global-banner     = false
conf_generation_include.health            = false
conf_generation_include.history           = false
conf_generation_include.html              = false
conf_generation_include.indexes           = true
conf_generation_include.limits            = true
conf_generation_include.literals          = true
conf_generation_include.lookups           = true
conf_generation_include.macros            = true
conf_generation_include.manager           = true
conf_generation_include.messages          = true
conf_generation_include.metric_alerts     = true
conf_generation_include.metric_rollups    = false
conf_generation_include.models            = true
conf_generation_include.multikv           = true
conf_generation_include.nav               = true
conf_generation_include.outputs           = true
conf_generation_include.panels            = true
conf_generation_include.passwd            = false
conf_generation_include.passwords         = false
conf_generation_include.props             = true
conf_generation_include.savedsearches     = true
conf_generation_include.searchbnf         = false
conf_generation_include.searchscripts     = true
conf_generation_include.segmenters        = true
conf_generation_include.tags              = true
conf_generation_include.telemetry         = false
conf_generation_include.tos               = false
conf_generation_include.times             = true
conf_generation_include.transforms        = true
conf_generation_include.transactiontypes  = true
conf_generation_include.ui-prefs          = false
conf_generation_include.ui-tour           = false
conf_generation_include.user-prefs        = false
conf_generation_include.views             = false
conf_generation_include.viewstates        = false
conf_generation_include.visualizations    = false
conf_generation_include.workflow_actions  = false
conf_generation_include.workload_pools    = true
conf_generation_include.workload_rules    = true
conf_generation_include.workload_policy   = true


encrypt_fields = "server: :sslKeysfilePassword", "server: :sslPassword", "server: :pass4SymmKey", "server: :password", "outputs:tcpout:sslPassword", "outputs:tcpout:socksPassword","outputs:indexer_discovery:pass4SymmKey", "outputs:tcpout:token", "inputs:SSL:password", "inputs:SSL:sslPassword", "inputs:http:sslPassword", "inputs:http:sslKeysfilePassword", "inputs:splunktcptoken:token", "alert_actions:email:auth_password", "app:credential:password", "app:credential:sslPassword", "passwords:credential:password", "passwords:credential:sslPassword", "authentication: :bindDNpassword", "authentication: :sslKeysfilePassword", "authentication: :attributeQuerySoapPassword", "authentication: :scriptSecureArguments", "authentication: :sslPassword", "authentication: :accessKey", "web:settings:privKeyPassword", "web:settings:sslPassword", "server:indexer_discovery:pass4SymmKey", "server:clustermanager:pass4SymmKey", "server:dmc:pass4SymmKey", "server:kvstore:sslKeysPassword", "indexes: :remote.s3.access_key", "indexes: :remote.s3.secret_key", "indexes: :remote.s3.kms.key_id", "indexes: :remote.azure.access_key", "indexes: :remote.azure.secret_key", "indexes: :remote.azure.client_id", "indexes: :remote.azure.client_secret", "indexes: :remote.azure.tenant_id", "outputs: :remote.s3.access_key", "outputs: :remote.s3.secret_key", "outputs: :remote.s3.kms.key_id", "outputs: :remote.azure.access_key", "outputs: :remote.azure.secret_key", "outputs: :remote.azure.client_id", "outputs: :remote.azure.client_secret", "outputs: :remote.azure.tenant_id","server:scs:kvservice.principal.client.secret", "federated: :password"

conf_cache_memory_optimization = false

[cascading_replication]
max_replication_threads = auto
max_replication_jobs = 5
cascade_replication_plan_reap_interval = 1h
cascade_replication_plan_age = 8h
cascade_replication_plan_fanout = auto
cascade_replication_plan_topology = size_balanced
cascade_replication_plan_select_policy = random
pass4SymmKey_minLength = 12

[sslConfig]
enableSplunkdSSL = true
useClientSSLCompression = false
useSplunkdClientSSLCompression = true
cliVerifyServerName = false
sslVerifyServerName = false
caTrustStore = splunk
# enableSplunkSearchSSL has been moved to web.conf/[settings]/enableSplunkWebSSL

# SSL settings
# The following provides modern TLS configuration. This configuration drops support
# for old Splunk versions (Splunk 5.x and earlier).
# To add support for Splunk 5.x:
#     - set sslVersions & sslVersionsForClient to tls
#     - and add AES256-SHA to the cipherSuite
# The following non-forward-secrecy ciphers were added to support the kv store:
#     AES256-GCM-SHA384:AES128-GCM-SHA256:AES128-SHA256.
sslVersions = tls1.2
sslVersionsForClient = tls1.2
cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES128-SHA256
ecdhCurves = prime256v1, secp384r1, secp521r1

sendStrictTransportSecurityHeader = false
allowSslCompression = true
allowSslRenegotiation = true

serverCert = $SPLUNK_HOME/etc/auth/server.pem
sslPassword = password
caCertFile = $SPLUNK_HOME/etc/auth/cacert.pem
certCreateScript = $SPLUNK_HOME/bin/splunk, createssl, server-cert
# DEPRECATED
caPath = $SPLUNK_HOME/etc/auth
# end of [sslConfig]

[pythonSslClientConfig]
sslVerifyServerCert = false
sslVerifyServerName = false

[httpServer]

# defines the stylesheet relative URL to apply to default Atom feeds;
# set to 'none' to not write out xsl-stylesheet directive
atomFeedStylesheet = /static/atom.xsl

max-age = 3600
follow-symlinks = false
# reject web accesses over 2GB in length
max_content_length = 2147483648

# When HTTP client streams data to HTTP server, server will timeout write operation after
# streamInWriteTimeout seconds if it cannot make write progress.
streamInWriteTimeout = 5

acceptFrom = *

# Automatically tune these limits:
maxThreads = 0
maxSockets = 0

forceHttp10 = auto
crossOriginSharingPolicy =
crossOriginSharingHeaders =
x_frame_options_sameorigin = true
allowBasicAuth = true
basicAuthRealm = /splunk
allowCookieAuth = true
allowWwwAuthHeader = true
cookieAuthHttpOnly = true
cookieAuthSecure = true
cookieSameSiteSecure = false
allowEmbedTokenAuth = true
dedicatedIoThreads = auto
keepAliveIdleTimeout = 7200
busyKeepAliveIdleTimeout = 12

[mimetype-extension-map]
gif = image/gif
html = text/html
htm = text/html
jpg = image/jpg
png = image/png
txt = text/plain
xml = text/xml
xsl = text/xml

[applicationsManagement]
version = 9.2.1
allowInternetAccess = true
url = https://apps.splunk.com/api/apps
loginUrl = https://apps.splunk.com/api/account:login/
detailsUrl = https://apps.splunk.com/apps/id
updateHost = https://apps.splunk.com
updatePath = /api/apps:resolve/checkforupgrade
updateTimeout = 24h
caCertFile = $SPLUNK_HOME/etc/auth/appsCA.pem
caTrustStore = splunk
sslVerifyServerCert = true
sslVerifyServerName = false
sslCommonNameToCheck = splunkbase.splunk.com, apps.splunk.com, cdn.apps.splunk.com
sslAltNameToCheck = splunkbase.splunk.com, apps.splunk.com, cdn.apps.splunk.com

# The following provides modern TLS configuration that guarantees forward-
# secrecy and efficiency. This configuration drops support for old Splunk
# versions (e.g. Splunk 5.x).
# To add support for Splunk 5.x set sslVersions to tls and add this to the
# end of cipherSuite:
#     DHE-RSA-AES256-SHA:AES256-SHA:DHE-RSA-AES128-SHA:AES128-SHA
# and this, in case Diffie Hellman is not configured:
#     AES256-SHA:AES128-SHA
sslVersions = tls1.2
cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
ecdhCurves = prime256v1, secp384r1, secp521r1

# disk usage processor settings
[diskUsage]
minFreeSpace = 5000
pollingFrequency = 100000
pollingTimerFrequency = 10

[diag]
# don't capture local auth information in troubleshooting files
EXCLUDE-auth = */etc/auth/*
# don't capture the index files for lookups either (big! unlikely to help)
EXCLUDE-lookup-indexes = */etc/*/lookups/*.tsidx
# don't capture ops.json for now, until we add password hash redaction.
EXCLUDE-opsjson = */etc/system/replication/ops.json

upload_proto_host_port = https://api.splunk.com

#######
# Search string redaction.  These defaults are an unavoidably incomplete
# (best-effort) Splunk diag attempt to avoid capturing sensitive information
# present in search queries.  This applies to situations where people enter
# field values or search terms interactively, or where they drill down into a
# table, dataset, pivot entry etc. to filter on specific values.

# To ensure sensitive data in your environment that can occur in search queries
# will not be present in Splunk diag output, you can add pattern-based
# filtering for those terms or values.

# Note that Splunk diag tries hard not to capture event text in general, by
# avoiding capture of search results, lookup files, and certain types of
# diagnostics of index files by default.

# If you find yourself wanting to add an additional pattern, be sure to match
# only the bytes relevant to your data, not any additional characters.  Each
# match "consumes" a portion of the search string, so additional matched bytes
# could prevent other matches from operating.


# Rough catchall for larger number strings with separators which are
# 1: More likely to be an identifier than a simple larger number
# eg. no : 32424234242342342423424234233
#     yes: 2334-243-24234-43-234-423-342
# 2: Unlikely to be numbers that are needed for troubleshooting, like limit=5000000
# 3: Probably not IP addresses, or similar pretty useful information that isn't
# typically PII (personally identifying information)
SEARCHFILTERSIMPLE-pii = \b[-_\d]{2,}\d{3,}[-_]\d{3,}[-_\d]{2,}\b


# US social security numbers fit a well-known format and predate common
# practices for automatic validation/verification
SEARCHFILTERSIMPLE-socsec = \b\d{3}[-. ]\d{2}[-. ]\d{4}\b

# Payment card numbers as displayed for human readability may contain embedded
# dashes or spaces in them, though have many different clusterings of numbers
# across the separators internationally.  Probably most payment card data does
# not arrive in Splunk indexes at all, but when it does, it is usually a single
# number and will be caught by bignum, following.
SEARCHFILTERLUHN-paycard = \b(?:\d{4}[- ]){3}\d{3,4}\b

# Any significantly large string of only numbers which satisfies the Luhn
# algorithm is *probably* a financial number, though unfortunately the
# false-positive rate will be 10%.  This may lead to requests for unredacted
# snippets in some cases.
SEARCHFILTERLUHN-bignum = \b(?:\d{13,})\b

#
# default license configuration
# by default, this node is a manager that has a single
# peer (itself) and a single pool based on the single
# free stack that alots 100% to itself
#

[license]
manager_uri = self
# these timeouts only matter if you have a manager_uri set to remote manager
connection_timeout = 30
send_timeout = 30
receive_timeout = 30
squash_threshold = 2000
report_interval = 1m
strict_pool_quota = true
lm_ping_interval = 86400

[queue]
maxSize = 500KB
# look back time in minutes
cntr_1_lookback_time = 60s
cntr_2_lookback_time = 600s
cntr_3_lookback_time = 900s
# sampling interval is the same for all the counters of a particular queue
# and defaults to 1 sec
sampling_interval = 1s

[queue=fschangemanager_queue]
maxSize = 5MB
cntr_1_lookback_time = 60s
cntr_2_lookback_time = 600s
cntr_3_lookback_time = 900s
# sampling frequency is the same for all the counters of a particular queue
# and defaults to 1 sec
sampling_interval = 1s

[queue=AQ]
maxSize = 10MB
# look back time in minutes
cntr_1_lookback_time = 60s
cntr_2_lookback_time = 600s
cntr_3_lookback_time = 900s
# sampling frequency is the same for all the counters of a particular queue
# and defaults to 1 sec
sampling_interval = 1s

[queue=WEVT]
maxSize = 5MB
# look back time in minutes
cntr_1_lookback_time = 60s
cntr_2_lookback_time = 600s
cntr_3_lookback_time = 900s
# sampling frequency is the same for all the counters of a particular queue
# and defaults to 1 sec
sampling_interval = 1s

[queue=aggQueue]
maxSize = 1MB
# look back time in minutes
cntr_1_lookback_time = 60s
cntr_2_lookback_time = 600s
cntr_3_lookback_time = 900s
# sampling frequency is the same for all the counters of a particular queue
# and defaults to 1 sec
sampling_interval = 1s

[queue=rfsQueue]
maxSize = 10MB

[queue=parsingQueue]
maxSize = 6MB
# look back time in minutes
cntr_1_lookback_time = 60s
cntr_2_lookback_time = 600s
cntr_3_lookback_time = 900s
# sampling frequency is the same for all the counters of a particular queue
# and defaults to 1 sec
sampling_interval = 1s

[queue=remoteOutputQueue]
maxSize = 10MB

[queue=vixQueue]
maxSize = 8MB

[clustering]
mode = disabled
manager_switchover_mode = disabled
pass4SymmKey =
register_replication_address =
register_forwarder_address =
register_search_address =
executor_workers = 10
manual_detention = off
summary_replication = false
allowed_hbmiss_count = 3
pass4SymmKey_minLength = 12

cm_heartbeat_period = 1
cm_max_hbmiss_count = 3
# lowlevel timeouts for CM-to-CM communication for redundancy purposes
cm_com_timeout = 10

# lowlevel timeouts for intra-cluster communication
cxn_timeout = 60
send_timeout = 60
rcv_timeout = 60

# replication channel timeouts
rep_cxn_timeout = 60
rep_send_timeout = 60
rep_rcv_timeout = 60
rep_max_send_timeout = 180
rep_max_rcv_timeout = 180

# only valid for mode=manager
service_interval = 0
max_fixup_time_ms = 1000
replication_factor = 3
search_factor = 2
heartbeat_timeout = 60
restart_timeout = 60
streaming_replication_wait_secs = 60
quiet_period = 60
reporting_delay_period = 30
max_peer_build_load = 2
max_peer_rep_load = 5
max_peer_sum_rep_load = 5
searchable_targets = true
searchable_target_sync_timeout = 60
target_wait_time = 150
summary_wait_time = 660
commit_retry_time = 300
percent_peers_to_restart = 10
percent_peers_to_reload = 100
max_peers_to_download_bundle = 5
precompress_cluster_bundle = true
multisite = false
site_replication_factor = origin:2, total:3
site_search_factor = origin:1, total:2
available_sites =
site_mappings =
constrain_singlesite_buckets=true
access_logging_for_heartbeats=false
auto_rebalance_primaries = true
rebalance_primaries_execution_limit_ms = 0
commit_generation_execution_limit_ms = 0
idle_connections_pool_size = -1
use_batch_mask_changes = true
service_jobs_msec = 100
rebalance_threshold = 0.90
max_auto_service_interval = 1
service_execution_threshold_ms = 1500
buckets_to_summarize = primaries
maintenance_mode = false
backup_and_restore_primaries_in_maintenance = false
max_primary_backups_per_service = 10
searchable_rolling_peer_state_delay_interval = 60
searchable_rolling_site_down_policy = half
allow_default_empty_p4symmkey = false
decommission_force_finish_idle_time = 0
rolling_restart = restart
searchable_rebalance = false
rebalance_pipeline_batch_size = 60
rebalance_primary_failover_timeout = 75
rebalance_newgen_propagation_timeout = 60
rebalance_search_completion_timeout = 180
deferred_cluster_status_update = true
assign_primaries_to_all_sites = false
log_bucket_during_addpeer = false
enable_primary_fixup_during_maintenance = true
freeze_during_maintenance = false
remote_storage_freeze_delay_period = 3600
bucketsize_mismatch_strategy = largest
max_concurrent_peers_joining = 10
rolling_restart_condition = batch_adding
enable_parallel_add_peer = true
primary_src_persist_secs = 604800
max_usage_rebalance_retries = 3
max_usage_rebalance_operations_per_service = 50
bucket_usage_decay_half_life = 7d
usage_rebalance_bucket_movement_factor = 0.01

#only valid for mode=manager or mode=searchhead
generation_poll_interval = 5

#only valid for mode=searchhead
generation_max_staleness = 60s

# only needed for mode=peer or mode=searchhead
manager_uri =

# only needed for mode=peer
heartbeat_period = 1
notify_scan_period = 10
notify_buckets_period = 10
enableS2SHeartbeat = true
s2sHeartbeatTimeout = 600
throwOnBucketBuildReadError = false
max_replication_errors = 3
search_files_retry_timeout = 600
re_add_on_bucket_request_error = false
decommission_search_jobs_wait_secs = 180
notify_scan_min_period = 10
summary_update_batch_size = 10
summary_registration_batch_size = 1000
decommission_node_force_timeout = 300
buckets_per_addpeer = 1000
max_nonhot_rep_kBps = 0
warm_bucket_replication_pre_upload = false
recreate_bucket_max_per_service = 20000
bucketsize_upload_preference = largest
upload_rectifier_timeout_secs = 2
ack_factor = 0
enable_encrypt_bundle = true
notify_buckets_usage_period = 1m
notify_buckets_usage_batch_size = 2048

[introspection:generator:disk_objects]
disabled = true

[introspection:generator:disk_objects__summaries]
collectionPeriodInSecs = 1800

[introspection:generator:disk_objects__fishbucket]
disabled = false

[introspection:generator:disk_objects__bundle_replication]
disabled = false

[introspection:generator:resource_usage]
disabled = true

[introspection:generator:resource_usage__iostats]
disabled = true

[introspection:generator:resource_usage__iowait]
disabled = true

[introspection:generator:kvstore]
disabled = true

[introspection:distributed-indexes]
disabled = true
collectionPeriodInSecs = 3600

[shclustering]
disabled = true
register_replication_address =
executor_workers = 50
adhoc_searchhead = false
no_artifact_replications = false
precompress_artifacts = true
captain_is_adhoc_searchhead = false
async_replicate_on_proxy = true
preferred_captain = true
prevent_out_of_sync_captain = true
pass4SymmKey_minLength = 12
manual_detention = off

captain_dump_service_periods = 500
scheduling_heuristic = scheduler_load_based
long_running_jobs_poll_period = 600

election_timeout_ms = 60000
election_timeout_2_hb_ratio = 12
raft_rpc_backoff_time_ms = 5000

# lowlevel timeouts for intra-cluster communication
cxn_timeout = 60
send_timeout = 60
rcv_timeout = 60

# lowlevel timeouts for intra-cluster communication for the raft protocol
cxn_timeout_raft = 2
send_timeout_raft = 5
rcv_timeout_raft = 5


log_heartbeat_append_entries = false

# replication channel timeouts
rep_cxn_timeout = 60
rep_send_timeout = 60
rep_rcv_timeout = 60
rep_max_send_timeout = 600
rep_max_rcv_timeout = 600

# only valid for mode=manager
replication_factor = 3
heartbeat_timeout = 60
restart_timeout = 600
quiet_period = 60
max_peer_rep_load = 5
target_wait_time = 150
percent_peers_to_restart = 10
rolling_restart_with_captaincy_exchange = true
access_logging_for_heartbeats=false

rolling_restart = restart
decommission_search_jobs_wait_secs = 180

# only needed for mode=peer
heartbeat_period = 5
enableS2SHeartbeat = true
s2sHeartbeatTimeout = 600

#proxying related
sid_proxying = true
ss_proxying = true
ra_proxying = true
alert_proxying = true

csv_journal_rows_per_hb = 10000

#
# Replicate changes to UI- and search-related configurations.
#

conf_replication_period = 5
conf_replication_max_pull_count = 1000
conf_replication_max_push_count = 100
conf_replication_max_json_value_size = 15MB

conf_replication_include.alert_actions     = true
conf_replication_include.authentication    = true
conf_replication_include.authorize         = true
conf_replication_include.collections       = true
conf_replication_include.commands          = true
conf_replication_include.datamodels        = true
conf_replication_include.event_renderers   = true
conf_replication_include.eventtypes        = true
conf_replication_include.federated         = true
conf_replication_include.fields            = true
conf_replication_include.field_filters     = true
conf_replication_include.global-banner     = true
conf_replication_include.health            = true
conf_replication_include.history           = false
conf_replication_include.html              = true
conf_replication_include.limits            = true
conf_replication_include.literals          = true
conf_replication_include.lookups           = true
conf_replication_include.macros            = true
conf_replication_include.manager           = true
conf_replication_include.models            = true
conf_replication_include.multikv           = true
conf_replication_include.nav               = true
conf_replication_include.panels            = true
conf_replication_include.passwd            = true
conf_replication_include.passwords         = true
conf_replication_include.props             = true
conf_replication_include.savedsearches     = true
conf_replication_include.searchbnf         = true
conf_replication_include.searchscripts     = true
conf_replication_include.segmenters        = true
conf_replication_include.tags              = true
conf_replication_include.telemetry         = true
conf_replication_include.tos               = true
conf_replication_include.times             = true
conf_replication_include.transforms        = true
conf_replication_include.transactiontypes  = true
conf_replication_include.ui-prefs          = true
conf_replication_include.ui-tour           = true
conf_replication_include.user-prefs        = true
conf_replication_include.views             = true
conf_replication_include.viewstates        = true
conf_replication_include.workflow_actions  = true
conf_replication_include.workload_pools   = true
conf_replication_include.workload_rules   = true
conf_replication_include.workload_policy  = true
conf_replication_include.metric_rollups   = true
conf_replication_include.metric_alerts    = true
conf_replication_include.web-features     = true

# Includelists and excludelists for configuration replication summaries.
conf_replication_summary.includelist.refine.local = (system|(apps/*)|users(/_reserved)?/*/*)/(local/...|metadata/local.meta)
conf_replication_summary.includelist.passwd       = passwd
conf_replication_summary.includelist.lookups      = (system|(apps/*)|users(/_reserved)?/*/*)/lookups/*
conf_replication_summary.includelist.repo         = system/replication/*.json
conf_replication_summary.excludelist.lookup_index = (system|(apps/*)|users(/_reserved)?/*/*)/lookups/*.(tmp$|index($|/...))

conf_replication_summary.concerning_file_size = 50
conf_replication_summary.period = 1m

conf_replication_purge.eligibile_count = 20000
conf_replication_purge.eligibile_age = 1d
conf_replication_purge.period = 1h
conf_replication_find_baseline.use_bloomfilter_only = false

#
# Deploy configurations to search head cluster members.
#

conf_deploy_repository = $SPLUNK_HOME/etc/shcluster
conf_deploy_staging = $SPLUNK_HOME/var/run/splunk/deploy
conf_deploy_concerning_file_size = 50
conf_deploy_precompress_bundles = true

conf_deploy_fetch_url =
conf_deploy_fetch_mode = replace

artifact_status_fields = user, eai:acl.app , label

jobs_data_lite.enabled = true
jobs_data_lite.search_field_len = 100
jobs_data_lite.default_field_len = 1000000
jobs_data_lite.max_status_size_per_hb = 700

retry_autosummarize_or_data_model_acceleration_jobs = true
deployerPushThreads = 1
allow_concurrent_dispatch_savedsearch = true

[kvstore]

disabled = false

port = 8191
replicaset = splunkrs
sslVerifyServerCert = false
sslVerifyServerName = false

storageEngine=wiredTiger

storageEngineMigration = false
shutdownTimeout = 100
initAttempts = 300
initialSyncMaxFetcherRestarts = 0
delayShutdownOnBackupRestoreInProgress = false
oplogSize = 1000
dbPath = $SPLUNK_DB/kvstore
replicationWriteTimeout = 1800
clientConnectionTimeout = 10
clientSocketTimeout = 300
percRAMForCache = 15
clientConnectionPoolSize = 500




[cachemanager]
eviction_policy = lru
eviction_padding = 5120
max_cache_size = 0
hotlist_recency_secs = 86400
hotlist_bloom_filter_recency_hours = 360
evict_on_stable = false
batch_registration = true

[imds]
imds_version = v1

#
# Raft statemachine stanza
#
[raft_statemachine]
disabled = true
replicate_search_peers = false

[stderr_log_rotation]
# 10 million bytes, or \"short\" megabytes
maxFileSize = 10000000
BackupIndex = 2
checkFrequency = 10

[stdout_log_rotation]
# 10 million bytes, or \"short\" megabytes
maxFileSize = 10000000
BackupIndex = 2
checkFrequency = 10

[prometheus]
disabled = true

# Watchdog configuration
[watchdog]
disabled = false
responseTimeout = 8
actions =
actionsInterval = 1
pstacksEndpoint = true
usePreloadedPstacks = true

[watchdog:DispatchReaper]
responseTimeout = 30

[watchdog:SearchProcessReaper]
responseTimeout = 30

[watchdogaction:pstacks]
dumpAllThreads = true
stacksBufferSizeOrder = 14
maxStacksPerBlock = 60
batchStacksThreshold = auto

[watchdogaction:script]
path = ""
useShell = false
forceStop = false
forceStopOnShutdown = true

[node_auth]
signatureVersion = v1,v2

[federated_search]
disabled=false
transparent_mode=true
whole_search_execution_optimization=false

[app_backup]
backup_path = $SPLUNK_HOME/var/backup

[config_change_tracker]
disabled = false
mode=auto
log_throttling_disabled = true
log_throttling_threshold_ms = 10000


[distributed_leases]
sslVerifyServerCert = false
sslVerifyServerName = false
disabled = true


[search_state]
alert_store = local
suppression_store = local




[manager_pages]
sanitize_uri_param = true

[teleport_supervisor]
disabled = false

[localProxy]
max_concurrent_requests = 10
response_timeout_ms = 600000