Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Configuring TLS for Forwarding

shocko
Contributor
‎01-24-2022 03:50 AM

I have noticed that my Splunk Enterprise 8.2.4 (all windows) indexers are listening on TCP 9997 and forwarders are forwarding payloads in plaintext across the network which security are naturally not happy with. So I'd like to use my PKI to issue some certificates for the indexer to start with (I'll worry about client certificates and mutual authentication down the line). I run a master, one search head and and indexer cluster with two nodes.

The guides seem to be clear enough on how to create the additional listener etc. but one thing is confusing me.  The guide indicates to create the SSL listener and config under $SPLUNK_HOME/etc/system/local/inputs.conf but on my indexers the existing listener is under  etc\apps\search\local\inputs.conf

Labels (1)
Labels
0 Karma
Reply

SanjayReddy
SplunkTrust
SplunkTrust
‎01-24-2022 04:26 AM

Hi  @shocko 

It seems the inputs.conf is created under  /search/local/. 

this configuration also works, first  Splunk looks for config under /system/local/

 if doesnt found it looks for other directory as a part of precedence




0 Karma
Reply

shocko
Contributor
‎01-24-2022 02:02 PM

I see no mention of the /search/ directory though in that document. Have I missed something? 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-24-2022 02:15 PM

From the configuration point of view, search is just another app.

It's a matter of convention and convenience usually. If you prepare config files by hand you usually split them logically into apps so you might for example have an app dedicated to a particular input or input type. This way you have granular control over the resulting configuration if you push some apps to forwarders.

But if you're configuring your splunk instance from the webui, since you're doing it mostly in search app (if we're talking about the "generic" splunk settings), the settings land in search app's directory.

Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...