This addresses a new behavior in Splunk 9.4.0 where the audit_trail app is shipped with Splunk by default. Updating the default apps here allows us to skip disabling the app on the deployer (shc) and cluster_master (idxc) roles.
In our prelim testing of 9.4.0 with SHC enabled, we observed that audit_trail cannot be disabled on the deployer and throws a cgroup error in the ansible.log.
This addresses a new behavior in Splunk 9.4.0 where the
audit_trailapp is shipped with Splunk by default. Updating the default apps here allows us to skip disabling the app on the deployer (shc) and cluster_master (idxc) roles.In our prelim testing of 9.4.0 with SHC enabled, we observed that
audit_trailcannot be disabled on the deployer and throws a cgroup error in the ansible.log.