All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I connect MS Excel to Splunk via Splunk ODBC after upgrading Splunk version?

rphillips_splk
Splunk Employee
Splunk Employee
‎09-07-2017 12:14 PM

After upgrading Splunk to 6.6.x I can no longer connect MS Excel (on a Windows 7 server) to Splunk via the Splunk ODBC driver 2.1.1.

When trying to make a connection following the steps below, The following error is displayed:
"(40) Error with HTTP API, error code: SSL connect error":

To use the Splunk ODBC Driver to get Splunk data into Microsoft Excel:
Open a new worksheet in Excel.
Click the Data tab.
In the Get External Data group, click From Other Sources, and click From Microsoft Query.
In the Choose Data Source window, click Splunk ODBC.

Environment:
(Windows 7 + Splunk ODBC 2.1.1) connecting to Splunk indexer 6.6.3

alt text

Preview file
19 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rphillips_splk
Splunk Employee
Splunk Employee
‎09-07-2017 12:20 PM

In Splunk 6.6.x the default TLS version and cipher suites have been updated to:
$SPLUNK_HOME/etc/system/default/server.conf
[sslConfig]
sslVersions = tls1.2
sslVersionsForClient = tls1.2
cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES128-SHA256

The Splunk ODBC driver (https://splunkbase.splunk.com/app/1606/) uses the Windows native SSL and therefore relies on the supported cipher suites in TLS/SSL for the particular version of Windows. When connecting the ODBC driver from a Windows host to a Splunk server The TLS version and cipher suites must be compatible between the two. Different Windows versions support different TLS cipher suites and priority order which can be found here: https://msdn.microsoft.com/en-us/library/windows/desktop/aa374757(v=vs.85).aspx

Splunk ODBC 2.1.1 was tested when installed on a Windows 10 machine which is compatible with Splunk 6.6.x

If you are on an older version of Windows you could workaround this issue by configuring the Splunk server back to the pre 6.6.x defaults at the cost of weaker tls and cipher suites:

On the Splunk server you are trying to connect to set:

$SPLUNK_HOME/etc/system/local/server.conf
[sslConfig]
sslVersions = tls1.0,tls1.1,tls1.2
sslVersionsForClient = *,-ssl2
cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH

View solution in original post

0 Karma
Reply
Solved! Jump to solution

nickjonas
New Member
‎09-04-2018 04:16 PM

To use the Splunk ODBC Driver to get Splunk data into Microsoft Excel, this is the best way to connect. data recovery Dubai help you if you are unable to connect. If there is a server issue you can older versions.

1: https://uaedatarecovery.com/data-recovery-dubai/,To use the Splunk ODBC Driver to get Splunk data into Microsoft Excel, this is the best way to connect. data recovery Dubai help you if you are unable to connect. If there is a server issue you can older versions.

0 Karma
Reply
Solved! Jump to solution
Solution

rphillips_splk
Splunk Employee
Splunk Employee
‎09-07-2017 12:20 PM

In Splunk 6.6.x the default TLS version and cipher suites have been updated to:
$SPLUNK_HOME/etc/system/default/server.conf
[sslConfig]
sslVersions = tls1.2
sslVersionsForClient = tls1.2
cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES128-SHA256

The Splunk ODBC driver (https://splunkbase.splunk.com/app/1606/) uses the Windows native SSL and therefore relies on the supported cipher suites in TLS/SSL for the particular version of Windows. When connecting the ODBC driver from a Windows host to a Splunk server The TLS version and cipher suites must be compatible between the two. Different Windows versions support different TLS cipher suites and priority order which can be found here: https://msdn.microsoft.com/en-us/library/windows/desktop/aa374757(v=vs.85).aspx

Splunk ODBC 2.1.1 was tested when installed on a Windows 10 machine which is compatible with Splunk 6.6.x

If you are on an older version of Windows you could workaround this issue by configuring the Splunk server back to the pre 6.6.x defaults at the cost of weaker tls and cipher suites:

On the Splunk server you are trying to connect to set:

$SPLUNK_HOME/etc/system/local/server.conf
[sslConfig]
sslVersions = tls1.0,tls1.1,tls1.2
sslVersionsForClient = *,-ssl2
cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...