Here are the confs that worked for us:  server.conf [general] serverName = [splunkhostname] pass4SymmKey = [pass4SymmKey] sessionTimeout = 15m [sslConfig] sslPassword = [sslPassword] sslRootCAPath = /opt/splunk/etc/auth/dod_chain.pem sslPassword = [pw-hash] ### Omitting lmppol, license, kvstore, diskusage setttings ###   web.conf [settings] ### START SPLUNK WEB USING HTTPS:8443 ### enableSplunkWebSSL = 1 httpport = 8443 privKeyPath = $SPLUNK_HOME\etc\auth\DOD.web.certificates\privkey.pem serverCert = $SPLUNK_HOME\etc\auth\DOD.web.certificates\cert.pem ### TOKEN AUTHENTICATION ### requireClientCert = true sslRootCAPath = $SPLUNK_HOME\etc\auth\DOD.web.certificates\dod_chain.pem enableCertBasedUserAuth = true SSOMode = permissive trustedIP = 127.0.0.1 certBasedUserAuthMethod = PIV certBasedUserAuthPivOidList = Microsoft Universal Principal Name allowSsoWithoutChangingServerConf = 1 ### Omitting STIG Settings (e.g., session timeout, login banner, etc).   authentication.conf ### [Omitting splunk_auth password/user policies] [authentication] authSettings = ISXX DC-01 LDAPS Authentication, ISXX LDAPS Authentication authType = LDAP [roleMap_ISXX DC-01 LDAPS Authentication] admin = Network Administrators power = Network Administrators user = Domain Admins; Network Administrators;Protected Users [roleMap_ISXX DC-02 LDAPS Authentication] admin = Network Administrators power = Network Administrators user = Domain Admins; Network Administrators;Protected Users [ISXX DC-01 LDAPS Authentication] SSLEnabled = 1 anonymous_referrals = 0 bindDN = CN=ldap.splunk,OU=Privileged Users,DC=XXXX,DC=YYYY bindDNpassword = [pw-hash] charset = utf8 emailAttribute = mail enableRangeRetrieval = 0 groupBaseDN = CN=Network Administrators,OU=Users,DC=XXXX,DC=YYYY groupMappingAttribute = dn groupMemberAttribute = member groupNameAttribute = cn host = dc-01.XXXX.YYYY nestedGroups = 0 network_timeout = 29 pagelimit = -1 port = 636 realNameAttribute = cn sizelimit = 5000 timelimit = 25 userBaseDN = OU=Privileged Users,DC=XXXX,DC=YYYY userNameAttribute = userPrincipalName [ISXX DC-02 LDAPS Authentication] SSLEnabled = 1 anonymous_referrals = 0 bindDN = CN=ldap.splunk,OU=Privileged Users,DC=XXXX,DC=YYYY bindDNpassword = [pw-hash] charset = utf8 emailAttribute = mail enableRangeRetrieval = 0 groupBaseDN = CN=Network Administrators,OU=Users,DC=XXXX,DC=YYYY groupMappingAttribute = dn groupMemberAttribute = member groupNameAttribute = cn host = dc-01.XXXX.YYYY nestedGroups = 0 network_timeout = 29 pagelimit = -1 port = 636 realNameAttribute = cn sizelimit = 5000 timelimit = 25 userBaseDN = OU=Privileged Users,DC=XXXX,DC=YYYY userNameAttribute = userPrincipalName ... View more

We are still having these ERROR Messages since the upgrade. Never found some evidence or root cause 😕  ... View more

I have a follow-up question on this explanation... If you have an index with this configuration: [index] homePath = volume:primary/index/db coldPath = volume:primary/index/colddb thawedPath = $SPLUNK_DB/index/thaweddb tstatsHomePath = volume:primary/index/datamodel_summary maxTotalDataSizeMB = 102400 frozenTimePeriodInSecs = 31536000 (one year) coldToFrozenDir = /splunkdata/frozen/$_index_name If the maxTotalDataSizeMB is reached before frozenTimePeriodInSecs, does the data get deleted without archiving first or does it get archived first since coldToFrozenDir is configured? ... View more