All Apps and Add-ons

Stream Splunk_SSLActivity - no common name


Hello! I have deployed Splunk Stream v7.1.3 and configured to collect Splunk_SSLActivity.

Events are coming through but the SSL Activity Informational Dashboards do not work.

Other dashboards/events are fine (e.g. HTTP, DNS), but when I look at the Splunk_SSLActivity data there is no common name/domain name.
I do have a field "ssl_subject" which sometimes contains CN = * OR CN = SplunkDefaultCert. In some events there is just "CN":

C = US, postalCode = 90000, ST = California, L = Newport, street = 1 PCH, O = Splunk, OU = Information Security, OU = Issued through Splunk, OU = InstantSSL Pro, CN

It looks like the app is expecting a field which isn't extracted, although both TA and App is installed (this is SplunkCloud) and the data is forwarded directly from Win and Linux hosts UF -> SplunkCloud.

I'm not sure if I can totally trust the data and while I can extract the field to match dashboard I am more concerned about WHY it's not working.

Any tips would be greatly appreciated!!


0 Karma
Get Updates on the Splunk Community!

How I Instrumented a Rust Application Without Knowing Rust

As a technical writer, I often have to edit or create code snippets for Splunk's distributions of ...

Splunk Community Platform Survey

Hey Splunk Community, Starting today, the community platform may prompt you to participate in a survey. The ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...