All Apps and Add-ons

How can I connect MS Excel to Splunk via Splunk ODBC after upgrading Splunk version?

Splunk Employee
Splunk Employee

After upgrading Splunk to 6.6.x I can no longer connect MS Excel (on a Windows 7 server) to Splunk via the Splunk ODBC driver 2.1.1.

When trying to make a connection following the steps below, The following error is displayed:
"(40) Error with HTTP API, error code: SSL connect error":

To use the Splunk ODBC Driver to get Splunk data into Microsoft Excel:
Open a new worksheet in Excel.
Click the Data tab.
In the Get External Data group, click From Other Sources, and click From Microsoft Query.
In the Choose Data Source window, click Splunk ODBC.

Environment:
(Windows 7 + Splunk ODBC 2.1.1) connecting to Splunk indexer 6.6.3

alt text

0 Karma
1 Solution

Splunk Employee
Splunk Employee

In Splunk 6.6.x the default TLS version and cipher suites have been updated to:
$SPLUNK_HOME/etc/system/default/server.conf
[sslConfig]
sslVersions = tls1.2
sslVersionsForClient = tls1.2
cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES128-SHA256

The Splunk ODBC driver (https://splunkbase.splunk.com/app/1606/) uses the Windows native SSL and therefore relies on the supported cipher suites in TLS/SSL for the particular version of Windows. When connecting the ODBC driver from a Windows host to a Splunk server The TLS version and cipher suites must be compatible between the two. Different Windows versions support different TLS cipher suites and priority order which can be found here: https://msdn.microsoft.com/en-us/library/windows/desktop/aa374757(v=vs.85).aspx

Splunk ODBC 2.1.1 was tested when installed on a Windows 10 machine which is compatible with Splunk 6.6.x

If you are on an older version of Windows you could workaround this issue by configuring the Splunk server back to the pre 6.6.x defaults at the cost of weaker tls and cipher suites:

On the Splunk server you are trying to connect to set:

$SPLUNK_HOME/etc/system/local/server.conf
[sslConfig]
sslVersions = tls1.0,tls1.1,tls1.2
sslVersionsForClient = *,-ssl2
cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH

View solution in original post

0 Karma

New Member

To use the Splunk ODBC Driver to get Splunk data into Microsoft Excel, this is the best way to connect. data recovery Dubai help you if you are unable to connect. If there is a server issue you can older versions.

1: https://uaedatarecovery.com/data-recovery-dubai/,To use the Splunk ODBC Driver to get Splunk data into Microsoft Excel, this is the best way to connect. data recovery Dubai help you if you are unable to connect. If there is a server issue you can older versions.

0 Karma

Splunk Employee
Splunk Employee

In Splunk 6.6.x the default TLS version and cipher suites have been updated to:
$SPLUNK_HOME/etc/system/default/server.conf
[sslConfig]
sslVersions = tls1.2
sslVersionsForClient = tls1.2
cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES128-SHA256

The Splunk ODBC driver (https://splunkbase.splunk.com/app/1606/) uses the Windows native SSL and therefore relies on the supported cipher suites in TLS/SSL for the particular version of Windows. When connecting the ODBC driver from a Windows host to a Splunk server The TLS version and cipher suites must be compatible between the two. Different Windows versions support different TLS cipher suites and priority order which can be found here: https://msdn.microsoft.com/en-us/library/windows/desktop/aa374757(v=vs.85).aspx

Splunk ODBC 2.1.1 was tested when installed on a Windows 10 machine which is compatible with Splunk 6.6.x

If you are on an older version of Windows you could workaround this issue by configuring the Splunk server back to the pre 6.6.x defaults at the cost of weaker tls and cipher suites:

On the Splunk server you are trying to connect to set:

$SPLUNK_HOME/etc/system/local/server.conf
[sslConfig]
sslVersions = tls1.0,tls1.1,tls1.2
sslVersionsForClient = *,-ssl2
cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH

View solution in original post

0 Karma