×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
vikasshinde
New Member
Member since: ‎04-11-2014
‎06-05-2020
Community Statistics
Posts 4
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎04-11-2014
Activity Feed
View All

Re: How to extract the application name from the l...

by in Splunk Search
‎05-13-2015 11:23 AM
‎05-13-2015 11:23 AM
Please provide some small piece of logger to create exact regex ... View more

Re: Can Splunk add a script to calculate swap stat...

by SplunkTrust in All Apps and Add-ons
‎11-19-2014 12:05 PM
‎11-19-2014 12:05 PM
You can add that script to your own instance of the unix app yourself, run extensive testing, and then feed that script back to Splunk for inclusion in a future version. ... View more

Re: Why am I getting TcpOutputFd error in splunkd....

by in Getting Data In
‎06-23-2016 05:47 AM
‎06-23-2016 05:47 AM
I try to secure master <-> indexer communication with server certificates signed by our own company rootCA. Reason is: Forwarding Master-Data to indexers so master does not index any data itself. I created certificates for my servers according to the splunk documentation. For the sake of this example I will call the server certificate: servercert.pem And I will call the rootCA certificate: rootcacert.pem Lets start at the formatting of the certificates: the servercert.pem looks like - servercert in pem format - privatekey in rsa format (encrypted with secret-key) - subCAcert in pem format (yes, we have a subCA) - rootCAcert in pem format the rootcacert.pem looks like - rootCAcert in pem format (no subCAcert, only the rootCAcert) On the master the outputs.conf looks like this [tcpout] defaultGroup = Splunk_Indexers [tcpout:Splunk_Indexer] server = indexer1:9997,indexer2:9997 [tcpout-server://indexer1.ex.amp.le.de:9997] sslRootCAPath = /opt/splunk/etc/auth/splunkforwarder/rootcacert.pem sslCertPath = /opt/splunk/etc/auth/splunkforwarder/servercert.pem sslPassword = <secret-key> sslVerifyServerCert = true sslCommonNameToCheck = indexer1.ex.amp.le.de [tcpout-server://indexer2.ex.amp.le.de:9997] sslRootCAPath = /opt/splunk/etc/auth/splunkforwarder/rootcacert.pem sslCertPath = /opt/splunk/etc/auth/splunkforwarder/servercert.pem sslPassword = <secret-key> sslVerifyServerCert = true sslCommonNameToCheck = indexer2.ex.amp.le.de On the indexers the inputs.conf (distributed to them over the cluster-bundle) looks like this [SSL] rootCA = /opt/splunk/etc/auth/receiver/rootcacert.pem serverCert = /opt/splunk/etc/auth/receiver/servercert.pem password = <secret-key> [splunktcp-ssl:9997] compressed = true Site note: I created a directory called splunkforwarder and receiver for reason of understandig which certificate resides where on the system. If I open splunkd.log on the master I find the following error: ERROR TcpOutputFd - Read error. Connection reset by peer On the indexers splunkd.log looks like this: ERROR TcpInputProc - Error encountered for connection from src=:38953. error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol Help would be hugely apprechiated, because I work on this problem since monday! ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM