I have a distributed Splunk architecture and I am trying to optimise/trim the received logs using Ingest actions features. However, I have the below error :
- I tried to create new rule set on the Heavey forwarder and indexer , but it returned with the error message "this endpoint will reject all requests until pass4SymmKey has been properly set."
So, I want to check where should I implement this feature on Indexer or HF? and is there any pre-request to implement it?
Your outputs.conf will need to match the pass4SymmKey set on the CM and IDX layer - since you are trying to reduce existing logs I want to assume that was already done but I'm not certain based on your explanation of the error message.
Since the metrics logs are abundant and it's hard to think that HF performance matters at 30 seconds frequency I would recommend changing the collection interval and keep the rest if possible.
I think the issue is related to pass4SymmKey, have you ever change that key? If so, please share what files should be changed? and if you have any guideline for that, this will be much helpful.
