All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I connect MS Excel to Splunk via Splunk ODBC after upgrading Splunk version?

rphillips_splk
Splunk Employee
Splunk Employee
‎09-07-2017 12:14 PM

After upgrading Splunk to 6.6.x I can no longer connect MS Excel (on a Windows 7 server) to Splunk via the Splunk ODBC driver 2.1.1.

When trying to make a connection following the steps below, The following error is displayed:
"(40) Error with HTTP API, error code: SSL connect error":

To use the Splunk ODBC Driver to get Splunk data into Microsoft Excel:
Open a new worksheet in Excel.
Click the Data tab.
In the Get External Data group, click From Other Sources, and click From Microsoft Query.
In the Choose Data Source window, click Splunk ODBC.

Environment:
(Windows 7 + Splunk ODBC 2.1.1) connecting to Splunk indexer 6.6.3

alt text

Preview file
19 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rphillips_splk
Splunk Employee
Splunk Employee
‎09-07-2017 12:20 PM

In Splunk 6.6.x the default TLS version and cipher suites have been updated to:
$SPLUNK_HOME/etc/system/default/server.conf
[sslConfig]
sslVersions = tls1.2
sslVersionsForClient = tls1.2
cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES128-SHA256

The Splunk ODBC driver (https://splunkbase.splunk.com/app/1606/) uses the Windows native SSL and therefore relies on the supported cipher suites in TLS/SSL for the particular version of Windows. When connecting the ODBC driver from a Windows host to a Splunk server The TLS version and cipher suites must be compatible between the two. Different Windows versions support different TLS cipher suites and priority order which can be found here: https://msdn.microsoft.com/en-us/library/windows/desktop/aa374757(v=vs.85).aspx

Splunk ODBC 2.1.1 was tested when installed on a Windows 10 machine which is compatible with Splunk 6.6.x

If you are on an older version of Windows you could workaround this issue by configuring the Splunk server back to the pre 6.6.x defaults at the cost of weaker tls and cipher suites:

On the Splunk server you are trying to connect to set:

$SPLUNK_HOME/etc/system/local/server.conf
[sslConfig]
sslVersions = tls1.0,tls1.1,tls1.2
sslVersionsForClient = *,-ssl2
cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH

View solution in original post

0 Karma
Reply
Solved! Jump to solution

nickjonas
New Member
‎09-04-2018 04:16 PM

To use the Splunk ODBC Driver to get Splunk data into Microsoft Excel, this is the best way to connect. data recovery Dubai help you if you are unable to connect. If there is a server issue you can older versions.

1: https://uaedatarecovery.com/data-recovery-dubai/,To use the Splunk ODBC Driver to get Splunk data into Microsoft Excel, this is the best way to connect. data recovery Dubai help you if you are unable to connect. If there is a server issue you can older versions.

0 Karma
Reply
Solved! Jump to solution
Solution

rphillips_splk
Splunk Employee
Splunk Employee
‎09-07-2017 12:20 PM

In Splunk 6.6.x the default TLS version and cipher suites have been updated to:
$SPLUNK_HOME/etc/system/default/server.conf
[sslConfig]
sslVersions = tls1.2
sslVersionsForClient = tls1.2
cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES128-SHA256

The Splunk ODBC driver (https://splunkbase.splunk.com/app/1606/) uses the Windows native SSL and therefore relies on the supported cipher suites in TLS/SSL for the particular version of Windows. When connecting the ODBC driver from a Windows host to a Splunk server The TLS version and cipher suites must be compatible between the two. Different Windows versions support different TLS cipher suites and priority order which can be found here: https://msdn.microsoft.com/en-us/library/windows/desktop/aa374757(v=vs.85).aspx

Splunk ODBC 2.1.1 was tested when installed on a Windows 10 machine which is compatible with Splunk 6.6.x

If you are on an older version of Windows you could workaround this issue by configuring the Splunk server back to the pre 6.6.x defaults at the cost of weaker tls and cipher suites:

On the Splunk server you are trying to connect to set:

$SPLUNK_HOME/etc/system/local/server.conf
[sslConfig]
sslVersions = tls1.0,tls1.1,tls1.2
sslVersionsForClient = *,-ssl2
cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

 Are you ready to revolutionize your IT operations? As digital transformation accelerates, the demand for ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...