Currently _internal is enabled, but we wanted to disable this from Splunk Web? I tried to do so by getting into splunk -->settings -->Data -->Indexes --> _internal --> status --Disable. When I disabled it, it threw out the following error:
Error occurred attempting to disable _internal: **In handler 'indexes': cannot disable idx=_internal, is internal.
Kindly let us know how to disable this index from the search.
thanks in Advance.
No, you cannot and should not disable _internal indexes. You need that information for troubleshooting and such things.
Best practice is to configure your search heads to forward to your indexers and the required internal events will all go to the indexers instead.....
Your etc\system\local\outputs.conf
should look something like this....
[tcpout]
defaultGroup = default-autolb-group
indexAndForward = 0
[tcpout:default-autolb-group]
server = your_indexer:9997
useACK=true
[tcpout-server://your_indexer:9997]
Similar question at unable to delete indexes
However, I don't see a solution in this thread.
One thing we did recently was to change the retention period of the _internal
index, which doesn't answer your question ; -)
Another idea at Is it possible to disable the main index?
it's by woodcock who said -
I think you can't disable insternal indexes. You can prohibit someone from searching it with the user roles, just allow the user roles to access the non-internal indexes.
Yep. _internal contains all kinds of helpful troubleshooting data. I can't imagine why you would want too disable it. If its growing to large, limit the size or retention period. If you don't want some users to be able to search it, do as gfreitas says and remove their access. Its configured in the user's role.
http://docs.splunk.com/Documentation/Splunk/6.4.1/Security/SetupuserauthenticationwithSplunk
thanks Jeremiah, though its enabled but when I tried to execute the below query to find out indexer and forwarder communication using SSL or not it showing no result found.
index=_internal source=*metrics.log* group=tcpin_connections | dedup hostname | table hostname sourceIp fwdType version destPort ssl
even tried to execute the index=_internal source=*metrics.log*
it did not fetch any output. Time Frame set as last 7 days.
Do guide me if there is any other option to figure out whether the indexer and forwarders are using default root SSL certificate or not.
thanks in Advance
okay, initially _internal indexes was disabled, but I had enabled it to test the below SPL query and again when tried to disable the index it was throwing the error.
Query to find out indexer and forwarder communication using SSL or not
index=_internal source=*metrics.log* group=tcpin_connections | dedup hostname | table hostname sourceIp fwdType version destPort ssl
so is there a way to disable the _internal indexes from this search portal? thanks in advance