Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Need to use different Pass4symmkey to 2 different Splunk environments

tam82
Explorer
‎01-31-2022 07:49 AM

every time I modify my Pass4symm key in outputs.conf needed to forward to a different Splunk environment it ends up getting rewritten to the pass4symm key that is in the server.conf 

 

how do I set a pass4symm key to 2 different keys one for my Splunk environment and one to other environment i need to forward logs to  

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

diogofgm
SplunkTrust
SplunkTrust
‎01-31-2022 08:35 AM

That setting should not change on its own. Are those configurations being deployed by a Deployment Server? If so, are you changing the pass4SymmKey in the HF or the DS?

Also, if you know the list of indexers of the instances you don't have access to, you can setup a group which does not use the pass4SymmKey. The pass4Symm key is used for the HF connect to the Cluster Manager to get a list of the available indexers and not to actually send the data.

------------
Hope I was able to help you. If so, some karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

diogofgm
SplunkTrust
SplunkTrust
‎01-31-2022 08:08 AM

Hi tam82,

If you're using pass4SymmKey, you are probably using indexer discovery in your environment.
Do you have an index_discovery stanza for each environment?

In alternative you can setup tcp groups with all the available indexers as target which does not use the pass4SymmKey and you can change the default group.

[tcpout]
defaultGroup = group1,group2

[tcpout:group1]
server=10.1.1.197:9997

[tcpout:group2]
server=10.100.1.1:9997,10.100.1.2:9997


There are more details in the docs here:
https://docs.splunk.com/Documentation/Splunk/8.2.4/Admin/Outputsconf#outputs.conf.example 

------------
Hope I was able to help you. If so, some karma would be appreciated.
Reply
Solved! Jump to solution

tam82
Explorer
‎01-31-2022 08:27 AM

We use index discovery for the set of indexers that I need the pass4symm key (a different instance of Splunk that I do not have control of )

My heavy forwarder also sends data to my Splunk instance which does not use the pass4symm key. 

but every so often something will change the pass4key in the stanza back to the servers default pass4 key 

0 Karma
Reply
Solved! Jump to solution
Solution

diogofgm
SplunkTrust
SplunkTrust
‎01-31-2022 08:35 AM

That setting should not change on its own. Are those configurations being deployed by a Deployment Server? If so, are you changing the pass4SymmKey in the HF or the DS?

Also, if you know the list of indexers of the instances you don't have access to, you can setup a group which does not use the pass4SymmKey. The pass4Symm key is used for the HF connect to the Cluster Manager to get a list of the available indexers and not to actually send the data.

------------
Hope I was able to help you. If so, some karma would be appreciated.
Reply
Solved! Jump to solution

tam82
Explorer
‎01-31-2022 08:38 AM

so if I remove the Indexer discovery then the pass4key will not matter ?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...