<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Opencti addon on Splunk cluster in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Opencti-addon-on-Splunk-cluster/m-p/754125#M119705</link>
    <description>&lt;P&gt;Hello, is Splunk opencti addon compatible on Splunk cluster (shc)?&lt;/P&gt;&lt;P&gt;From 2/3 search heads we are getting this error: "2025-10-09 16:22:56,618 ERROR pid=31312 tid=MainThread file=base_modinput.py:log_error:309 | Error in ListenStream loop, exit, reason: HTTPSConnectionPool(host='sXXX.XXX.XXX', port=8080): Max retries exceeded with url: /stream/4484559f-66f8-4107-9afc-1d9c141377fb?recover=2025-07-22T10:27:24Z (Caused by SSLError(SSLError(1, '[SSL: UNKNOWN_PROTOCOL] unknown protocol (_ssl.c:1143)')))"&lt;/P&gt;&lt;P&gt;Even if we are not configured as SSL.&lt;/P&gt;&lt;P&gt;Thanks.&lt;/P&gt;</description>
    <pubDate>Thu, 09 Oct 2025 14:39:13 GMT</pubDate>
    <dc:creator>splunkreal</dc:creator>
    <dc:date>2025-10-09T14:39:13Z</dc:date>
    <item>
      <title>Opencti addon on Splunk cluster</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Opencti-addon-on-Splunk-cluster/m-p/754125#M119705</link>
      <description>&lt;P&gt;Hello, is Splunk opencti addon compatible on Splunk cluster (shc)?&lt;/P&gt;&lt;P&gt;From 2/3 search heads we are getting this error: "2025-10-09 16:22:56,618 ERROR pid=31312 tid=MainThread file=base_modinput.py:log_error:309 | Error in ListenStream loop, exit, reason: HTTPSConnectionPool(host='sXXX.XXX.XXX', port=8080): Max retries exceeded with url: /stream/4484559f-66f8-4107-9afc-1d9c141377fb?recover=2025-07-22T10:27:24Z (Caused by SSLError(SSLError(1, '[SSL: UNKNOWN_PROTOCOL] unknown protocol (_ssl.c:1143)')))"&lt;/P&gt;&lt;P&gt;Even if we are not configured as SSL.&lt;/P&gt;&lt;P&gt;Thanks.&lt;/P&gt;</description>
      <pubDate>Thu, 09 Oct 2025 14:39:13 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Opencti-addon-on-Splunk-cluster/m-p/754125#M119705</guid>
      <dc:creator>splunkreal</dc:creator>
      <dc:date>2025-10-09T14:39:13Z</dc:date>
    </item>
    <item>
      <title>Re: Opencti addon on Splunk cluster</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Opencti-addon-on-Splunk-cluster/m-p/754129#M119706</link>
      <description>&lt;P&gt;Hi&amp;nbsp;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/171872"&gt;@splunkreal&lt;/a&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Can you confirm, are you expecting it to be http or https? The code for this app enforces SSL vertification if using https.&amp;nbsp;&lt;/P&gt;&lt;P&gt;Can you also check the&amp;nbsp;&lt;SPAN&gt;ta_opencti_add_on_settings.conf file in $SPLUNK_HOME/etc/&amp;lt;appDir&amp;gt;/local on the SH to confirm they are all the same and that its using the expected protocol?&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;You might also find this answer helpful:&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;A href="https://community.splunk.com/t5/Getting-Data-In/Why-can-t-I-download-from-OpenCTI-Stream-Feed-into-Splunk/m-p/742780/highlight/true#M117993" target="_blank"&gt;https://community.splunk.com/t5/Getting-Data-In/Why-can-t-I-download-from-OpenCTI-Stream-Feed-into-Splunk/m-p/742780/highlight/true#M117993&lt;/A&gt;&lt;/P&gt;&lt;P&gt;&lt;span class="lia-unicode-emoji" title=":glowing_star:"&gt;🌟&lt;/span&gt;&lt;SPAN&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;STRONG&gt;Did this answer help you?&lt;/STRONG&gt;&lt;SPAN&gt;&amp;nbsp;&lt;/SPAN&gt;If so, please consider:&lt;/P&gt;&lt;UL&gt;&lt;LI&gt;Adding karma to show it was useful&lt;/LI&gt;&lt;LI&gt;Marking it as the solution if it resolved your issue&lt;/LI&gt;&lt;LI&gt;Commenting if you need any clarification&lt;/LI&gt;&lt;/UL&gt;&lt;P&gt;Your feedback encourages the volunteers in this community to continue contributing&lt;/P&gt;</description>
      <pubDate>Thu, 09 Oct 2025 14:44:12 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Opencti-addon-on-Splunk-cluster/m-p/754129#M119706</guid>
      <dc:creator>livehybrid</dc:creator>
      <dc:date>2025-10-09T14:44:12Z</dc:date>
    </item>
    <item>
      <title>Re: Opencti addon on Splunk cluster</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Opencti-addon-on-Splunk-cluster/m-p/754130#M119707</link>
      <description>&lt;P&gt;Hi&amp;nbsp;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/170906"&gt;@livehybrid&lt;/a&gt;&amp;nbsp;yes it's http, do you use it on SHC cluster? We are using v1.1.5 FYI&lt;/P&gt;</description>
      <pubDate>Thu, 09 Oct 2025 14:46:42 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Opencti-addon-on-Splunk-cluster/m-p/754130#M119707</guid>
      <dc:creator>splunkreal</dc:creator>
      <dc:date>2025-10-09T14:46:42Z</dc:date>
    </item>
  </channel>
</rss>

