×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
splunker686
Explorer
Member since: ‎06-22-2021
‎11-26-2025
Community Statistics
Posts 9
Solutions 0
Karma Given 6
Karma Received 4
Member Since ‎06-22-2021
Activity Feed
View All

Re: KV store failing to start in 9.4.3

by in Splunk Enterprise
‎11-26-2025 05:20 PM
‎11-26-2025 05:20 PM
We have encountered similar kvstore issue once upgraded to splunk 9.4.6.  Splunk support recommended to use this kvcertverify tool:  https://github.com/splunk/support-scripts/blob/main/kvcertverify/README.md And it did help in resolving our issue:     Server.conf snippet for reference: [sslConfig] serverCert = $SPLUNK_HOME/etc/auth/mycerts/splunk-hf.pem caCertFile = $SPLUNK_HOME/etc/auth/mycerts/splunk-hf.pem caPath = $SPLUNK_HOME/etc/auth/mycerts/splunk-hf.pem [kvstore] disabled = false serverCert = $SPLUNK_HOME/etc/auth/mycerts/splunk-hf.pem caCertFile = $SPLUNK_HOME/etc/auth/mycerts/splunk-hf.pem Here is the structure of our certificate chain (.pem) file: $ grep "BEGIN\|END" splunk-hf.pem -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- -----BEGIN PRIVATE KEY----- -----END PRIVATE KEY----- -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- Note:  The .pem file was created as per this splunk doc ... View more

Re: How to evict buckets from smartstore cache?

by in Deployment Architecture
‎06-04-2023 04:21 PM
‎06-04-2023 04:21 PM
For the manual localize endpoint mentioned: curl -ku admin:changeme "https://localhost:8089/services/admin/cacheman/_localize" -X POST  Will it be localizing of all the buckets, of all the smartstore enabled indexes?  What are the specific endpoints for localizing an individual bucket or index? ... View more

Re: Why does UF still require clientCert when req...

by in Getting Data In
‎02-13-2023 09:42 AM
1 Karma
‎02-13-2023 09:42 AM
1 Karma
Looks like setting "useSSL = true" in outputs.conf did the trick: ## outputs.conf.spec useSSL = <true|false|legacy> * Whether or not the forwarder uses SSL to connect to the receiver, or relies on the 'clientCert' setting to be active for SSL connections. * You do not need to set 'clientCert' if 'requireClientCert' is set to "false" on the receiver. * A value of "true" means the forwarder uses SSL to connect to the receiver. * A value of "false" means the forwarder does not use SSL to connect to the receiver. * The special value "legacy" means the forwarder uses the 'clientCert' property to determine whether or not to use SSL to connect. * Default: legacy   ... View more

Why does UF still require clientCert when require...

by in Getting Data In
‎02-13-2023 09:08 AM
1 Karma
‎02-13-2023 09:08 AM
1 Karma
Hello Splunkers, I would like to understand why a cert is need for the UF, when indexer already has requireClientCert disabled.  Thanks in advance. On indexer, we have the following inputs.conf stanza configured: [splunktcp-ssl:9997] [SSL] serverCert = $SPLUNK_HOME/etc/auth/mycerts/myServerCert.pem sslPassword = mySecret requireClientCert = false   On the UF, we have the following outputs.conf stanza configured: [indexer_discovery:cm1] master_uri = https://cm1:8089 pass4SymmKey = mySecretSymmKey [tcpout] defaultGroup = ssl-test [tcpout:ssl-test] indexerDiscovery = master-es useACK = true useClientSSLCompression = false The UF failed to connect to the indexer with the following errors seen in the UF's splunkd.log: 02-11-2023 02:57:57.421 +0000 ERROR TcpOutputProc [1715593 TcpOutEloop] - target=x.x.x.x:9997 ssl=1 mismatch with ssl config in outputs.conf for server, skipping.. The issue is resolved once we have set the clientCert in forwarder's outputs.conf stanza: [tcpout:ssl-test] indexerDiscovery = master-es useACK = true useClientSSLCompression = false clientCert = $SPLUNK_HOME/etc/auth/mycerts/MyClientCert.pem   From our test so far, this requirement seems to be specific to splunktcp-ssl.  Inter-splunk communications between UF and deployment server or cluster manager (for indexer discovery) do not seem to require the client cert.       ... View more
Labels

Re: AWS Error -> ClientError: An error occurred (U...

by in All Apps and Add-ons
‎08-05-2022 02:24 PM
1 Karma
‎08-05-2022 02:24 PM
1 Karma
IMO, this should be treated as a bug and not an enhancement request.  I still see this error in AWS add-on ver 6.2.0. ... View more

Re: IMDSv2 EC2 instances

by in All Apps and Add-ons
‎08-05-2022 01:34 PM
‎08-05-2022 01:34 PM
Hi,  Were you able to confirm whether the latest Splunk Add-on for AWS supports IMDSv2? Thanks. ... View more

Why do I see this message in the splunkd.log?

by in Splunk Enterprise
‎02-14-2022 01:55 PM
‎02-14-2022 01:55 PM
Why do I keep seeing this type of messages in the splunkd.log? WARN ProcessTracker - executable=splunk-optimize failed to start reason='': Operation not permitted Note: I have already put ProcessTracker component in DEBUG logging and still not able to gain any insight to what is causing the messages. ... View more
Labels

Re: How to execute searches with auth token, using...

by in Getting Data In
‎10-05-2021 12:36 PM
1 Karma
‎10-05-2021 12:36 PM
1 Karma
Thank you @jkat54 for your tip.  This seems to work as expected now:   | makeresults count=1 | eval header="{\"content-type\":\"application/json\",\"Authorization\":\"Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0IiwiYWxnIjoiSFM1MTIiLCJ2ZXIiOiJ2MiIsInR0eXAiOiJzdGF0aWMifQ.eyJpc...\"}" | eval data="{\"search\":\"search index=_internal source=*splunkd.log | head 10 | table _raw\",\"output_mode\":\"csv\"}" | curl method=get uri=https://localhost:8089/services/search/jobs/export headerfield=header datafield=data   Thanks again for this useful tool.  Please keep up the good work. 🙏 ... View more

How to execute searches with auth token, using the...

by in Getting Data In
‎10-05-2021 11:28 AM
‎10-05-2021 11:28 AM
Hi @jkat54, thank you for creating this wonderful app.  I have a use case that requires executing remote searches from one independent search head to another search head, with the use of auth tokens.   I am able to do so using the linux curl command, using the following command syntax:   curl -k -H "Authorization: Bearer eyJraWQiOiJzcGx1bmsuc2VjcmV0IiwiYWxnIjoiSFM1MTIiLCJ2ZXIiOiJ2MiIsInR0eXAiOiJzdGF0aWMifQ.eyJpc" https://localhost:8089/services/search/jobs/export -d output_mode=csv -d search="search index=_internal | head 10"   I would like to know how I can translate the above syntax into search command, leveraging the webtools add-on.   Thanks in advance for your help.   ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎11-26-2025 04:57 PM
Karma from
View All