Instrumentation: Sharing data with Splunk Enterprise
We use Splunk to enhance the values among our data, to drive statistical and business-oriented decisions from the data to improve our business in a quick time. In the same fashion Splunk Inc. also collects data from their client’s environment to improve our experience while using Splunk. In their words “Splunk Inc. collects critical data so that we can enhance the value of your investment in Splunk software.”
Why should we share data with Splunk?
- It will put some value on our investment that we did in Splunk, with a better user experience.
- It will help Splunk Inc. to fix the previous bugs, configuration problems in the software, and many more.
What kind of data Splunk collects?
Splunk basically collects four types of data in the form of a JSON packet which are described below.
- Aggregated usage data: This includes data related to any kind of session-id or session data which can be generated while loading any page in Splunk software, dashboard characteristics, changes to pivots data, pivots characteristics, user interactions with the search page, an app installed in search heed and peers, Indexer cluster member status, replication factor, hostnames of indexers, OS info, CPU architecture and many more.
- Support usage data: There is no such difference between Support usage and aggregated usage data. It basically helps in support cases.
- License usage data: This one includes data related to the license. Which are licensing quota and consumption, license staking and type, license pool and his consumption etc.
- Software version data: It includes a version of Splunk enterprise software, app installed in Splunk, OS, and also collects data related to user roles, CPU information, GUID etc.
NOTE: In Splunk version 8.0.0 all of their policies regarding data collection have been reset with the default settings. In the previous versions if you opted out of data instrumentation (sharing data with Splunk) then also all of your settings will be reset after updating to 8.0.0 and above.
To view what kind of data Splunk collecting from your instance:
Splunk collects the data from your instance through schedule searches which by default runs every day at 3 AM.
To check what kind of data Splunk collects go to Settings and click on Instrumentation.
And then click on Export.
Then it will open a dialog box,
Date Range: <date range of your data>
Data type: <select from the dropdown what kind of data you want to export>
Click on Export
After that, it will show a message that “Exporting instrumentation data”
NOTE: You can manually send the data also to Splunk by clicking Send if you opted out of by default data collection policies.
How to prevent or opt-out of sending data to Splunk:
It’s not mandatory to send data to Splunk, if your organization doesn’t want to send this data then you can opt-out easily.
Disabling aggregated and support usage data:
Go to Settings and click on Instrumentation as shown in the previous steps.
And then click on the Gear symbol beside the Usage Data.
There you can easily disable it if you don’t want to send the data to Splunk.
Disabling license usage data:
As you can see from the above figure that in case of License usage data and Version data its not giving any options to disable from the GUI.
To opt-out of sending license usage data go to $SPLUNK_HOME/etc/system/local and edit telemetry.conf. Add sendLicenseUsage to false under general stanza. If a telemetry.conf file is not present in your local you can create a new one and add this following stanza.
[general] sendLicenseUsage = false
And restart your Splunk.
Disabling software version data:
To prevent sending Splunk enterprise versions go to $SPLUNK_HOME/etc/system/local and edit web.conf. And change updateCheckerBaseURL to under settings stanza.
[settings] updateCheckerBaseURL = 0
If you don’t know about “Diagnostic Log” then click here.
I hope you all have enjoyed “Instrumentation: Sharing data with Splunk Enterprise”
Happy Splunking!!
