Splunk_Docker/files/splunkbeta/etc/system/default/outputs.conf

#   Version 9.2.2.20240415
# DO NOT EDIT THIS FILE!
# Changes to default files will be lost on update and are difficult to
# manage and support.
#
# Please make any changes to system defaults by overriding them in
# apps or $SPLUNK_HOME/etc/system/local  
# (See "Configuration file precedence" in the web documentation).
#
# To override a specific setting, copy the name of the stanza and
# setting to the file where you wish to override it.

[tcpout]
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = _.*
forwardedindex.2.whitelist = (_audit|_internal|_introspection|_telemetry|_metrics|_metrics_rollup|_configtracker)
forwardedindex.filter.disable = false
indexAndForward = false
blockOnCloning = true
compressed = false
disabled = false
dropClonedEventsOnQueueFull = 5
dropEventsOnQueueFull = -1
heartbeatFrequency = 30
maxFailuresPerInterval = 2
secsInFailureInterval = 1
maxConnectionsPerIndexer = 2
forceTimebasedAutoLB = false
sendCookedData = true
connectionTimeout = 20 
readTimeout = 300
writeTimeout = 300 
tcpSendBufSz = 0
ackTimeoutOnShutdown = 30
useACK = false
blockWarnThreshold = 100
sslQuietShutdown = false
useClientSSLCompression = true
enableOldS2SProtocol = false
autoLBVolume = 0
maxQueueSize = auto
connectionTTL = 0
autoLBFrequency = 30
# The following provides modern TLS configuration that guarantees forward-
# secrecy and efficiency. This configuration drops support for old Splunk
# versions (Splunk 5.x and earlier).
# To add support for Splunk 5.x set sslVersions to tls and add this to the
# end of cipherSuite:
#     DHE-RSA-AES256-SHA:AES256-SHA:DHE-RSA-AES128-SHA:AES128-SHA
# and this, in case Diffie Hellman is not configured:
#     AES256-SHA:AES128-SHA
sslVersions = tls1.2
cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES128-SHA256:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-ECDSA-AES256-SHA384:ECDH-ECDSA-AES128-SHA256
ecdhCurves = prime256v1, secp384r1, secp521r1

[syslog]
type = udp
priority = <13>
maxEventSize = 1024

[rfs]
partitionBy = legacy
batchTimeout = 30
batchSizeThresholdKB = 131072
dropEventsOnUploadError = false
compression = zstd
compressionLevel = 3
format = json
format.json.index_time_fields = true
format.ndjson.index_time_fields = true
fs.appendToFileUntilSizeMB = 2048
fs.timeBeforeClosingFileSecs = 30
Inital Commit 8 months ago			`# Version 9.2.2.20240415`
			`# DO NOT EDIT THIS FILE!`
			`# Changes to default files will be lost on update and are difficult to`
			`# manage and support.`
			`#`
			`# Please make any changes to system defaults by overriding them in`
			`# apps or $SPLUNK_HOME/etc/system/local`
			`# (See "Configuration file precedence" in the web documentation).`
			`#`
			`# To override a specific setting, copy the name of the stanza and`
			`# setting to the file where you wish to override it.`

			`[tcpout]`
			`forwardedindex.0.whitelist = .*`
			`forwardedindex.1.blacklist = _.*`
			`forwardedindex.2.whitelist = (_audit\|_internal\|_introspection\|_telemetry\|_metrics\|_metrics_rollup\|_configtracker)`
			`forwardedindex.filter.disable = false`
			`indexAndForward = false`
			`blockOnCloning = true`
			`compressed = false`
			`disabled = false`
			`dropClonedEventsOnQueueFull = 5`
			`dropEventsOnQueueFull = -1`
			`heartbeatFrequency = 30`
			`maxFailuresPerInterval = 2`
			`secsInFailureInterval = 1`
			`maxConnectionsPerIndexer = 2`
			`forceTimebasedAutoLB = false`
			`sendCookedData = true`
			`connectionTimeout = 20`
			`readTimeout = 300`
			`writeTimeout = 300`
			`tcpSendBufSz = 0`
			`ackTimeoutOnShutdown = 30`
			`useACK = false`
			`blockWarnThreshold = 100`
			`sslQuietShutdown = false`
			`useClientSSLCompression = true`
			`enableOldS2SProtocol = false`
			`autoLBVolume = 0`
			`maxQueueSize = auto`
			`connectionTTL = 0`
			`autoLBFrequency = 30`
			`# The following provides modern TLS configuration that guarantees forward-`
			`# secrecy and efficiency. This configuration drops support for old Splunk`
			`# versions (Splunk 5.x and earlier).`
			`# To add support for Splunk 5.x set sslVersions to tls and add this to the`
			`# end of cipherSuite:`
			`# DHE-RSA-AES256-SHA:AES256-SHA:DHE-RSA-AES128-SHA:AES128-SHA`
			`# and this, in case Diffie Hellman is not configured:`
			`# AES256-SHA:AES128-SHA`
			`sslVersions = tls1.2`
			`cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES128-SHA256:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-ECDSA-AES256-SHA384:ECDH-ECDSA-AES128-SHA256`
			`ecdhCurves = prime256v1, secp384r1, secp521r1`

			`[syslog]`
			`type = udp`
			`priority = <13>`
			`maxEventSize = 1024`

			`[rfs]`
			`partitionBy = legacy`
			`batchTimeout = 30`
			`batchSizeThresholdKB = 131072`
			`dropEventsOnUploadError = false`
			`compression = zstd`
			`compressionLevel = 3`
			`format = json`
			`format.json.index_time_fields = true`
			`format.ndjson.index_time_fields = true`
			`fs.appendToFileUntilSizeMB = 2048`
			`fs.timeBeforeClosingFileSecs = 30`