Hi @dwaddle  and others Im stuck with couple of questions and this thread is almost close to answer it.  Im actually working on securing communication between Splunk nodes. I have 4 forwarders sending data to 3 indexers which is in cluster . I have a 1 deployment server to manage  forwarders . and have 1 cluster master: Question 1 (securing forwarder->indexers): From the Splunk documentation and this thread i understand we need to have certificates for both forwarders and indexers. But don't understand why it is required on forwarders as well? Having certificates only in indexers does the job right? . Is it because of Splunk configuration or code demands to have it in forwarders as well? Question 2 (Cluster Master->indexers) : Since we have already in production , is there any impact or precautions that needs to be taken while making communication secured  between CM and indexers. please share any link to document on the configuration .    Thanks in Advance ... View more

Hi Giuseppe, misunderstanding: For this stanza I already have crcSalt = <SOURCE> To reindex I usually use something like crcSalt = REINDEXME01 So from technical point of view it should be possible to combine both options, path and string. But this option seems not to be implemented. ... View more

You saved me a ton of troubleshooting hours by posting this. Thank you for taking the time to do it. ... View more

Thanks. That's what I expected. ... View more

sorry about that. I originally had a non capturing group where the value of 'app' was. I made it a capturing group and now the field 'app' is extracted. the error was because app did not exist. I didn't see your comment...two years ago. apologies. ... View more

Since this is an accepted answer, I have added it as a workaround. ... View more

Did you try to review the PAS app? http://dev.splunk.com/view/dev-guide/SP-CAAAE2X It's part of the developer guidance... http://dev.splunk.com/view/dev-guide/SP-CAAAE2R HTH, Holger ... View more