Splunk Enterprise

Ingest actions implementation

zzubidah
Loves-to-Learn Lots

Hello,

I have a distributed Splunk architecture and I am trying to optimise/trim the received logs using Ingest actions features. However, I have the below error :

- I tried to create new rule set on the Heavey forwarder and indexer , but it returned with the error message "this endpoint will reject all requests until pass4SymmKey has been properly set."

So, I want to check where should I implement this feature on Indexer or HF? and is there any pre-request to implement it?

Labels (1)
0 Karma

zzubidah
Loves-to-Learn Lots

 

 

 

0 Karma

PickleRick
SplunkTrust
SplunkTrust
0 Karma

zzubidah
Loves-to-Learn Lots

Hello Rick,

I tried Live Capture, but it gave the same error, I think the issue is related to pass4SymmKey.

pass4SymmKey.JPG

0 Karma

dural_yyz
Motivator

Your outputs.conf will need to match the pass4SymmKey set on the CM and IDX layer - since you are trying to reduce existing logs I want to assume that was already done but I'm not certain based on your explanation of the error message.

Since the metrics logs are abundant and it's hard to think that HF performance matters at 30 seconds frequency I would recommend changing the collection interval and keep the rest if possible.

0 Karma

zzubidah
Loves-to-Learn Lots

Hello Dural,

I think the issue is related to pass4SymmKey, have you ever change that key? If so, please share what files should be changed? and if you have any guideline for that, this will be much helpful.

0 Karma
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!

Introduction to Splunk AI

How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Maximizing the Value of Splunk ES 8.x

Splunk Enterprise Security (ES) continues to be a leader in the Gartner Magic Quadrant, reflecting its pivotal ...