One of my sourcetypes is a CSV file (with CSV header) I was using this sourcetype stanza in props.conf: [foo_bar] INDEXED_EXTRACTIONS = csv TIME_FORMAT = %Y%m%d%H%M%S%Q TIMESTAMP_FIELDS = Year,Month,Day,Hour,Minute,Second,Seq HEADER_FIELD_LINE_NUMBER = 1 HEADER_FIELD_DELIMITER = ; FIELD_DELIMITER = ; SHOULD_LINEMERGE = false LINE_BREAKER = ([\r\n]+) REPORT-foo_bar-default = sourcefields-default I have come to notice that with splunk cloud, the indexed extractions are apparently no longer being applied. While the sourcetype is correctly assigned and the REPORT is also being applied, the actual indexed extraction does not take place.  When I run a search for sourcetype foo_bar, I cannot see any of the fields defined by the CSV header. I also made sure the CSV header is actually present. My setup is like this: (1) Universal Forwarder -> (2) Universal ("Intermediate") Forwarder -> (3) Splunk Cloud I tried applying these settings at both (1) and (3). In both cases it did not work. Am I missing out on something? ... View more

I have these two files: EventLogger.log HOSTNAME-eventlog-TIMESTAMP.xml The structure of their content is the same. Except that the .xml file may contain "<eventlog>" and "</eventlog>" at beginning and end. So I thought to use the same sourcetype for them. This stanza is working fine: [source::/tmp/logs/.../qwe/.../*EventLogger.log*] priority = 100 TZ = UTC sourcetype = eventlogger This one however, is not (splunk will apparently default and make a "xml-2" sourcetype): [source::/tmp/logs/.../qwe/.../*eventlog*.xml*] priority = 100 TZ = UTC sourcetype = eventlogger   Using btool, I did confirm that on my indexer, the two stanzas above are actually present. I feel like I am missing out on something here. ... View more

We have setup SAML authentication using MS Azure as IDP using the following instructions: https://help.splunk.com/en/splunk-enterprise/administer/manage-users-and-security/9.3/use-saml-as-an-authentication-scheme-for-single-sign-on/configure-authentication-extensions-to-interface-with-your-saml-identity-provider#configure-authentication-extensions-for-microsoft-azure-using-splunk-web-0 Thinking ahead, we would like to document how to renew the clientSecret. The question is: When the value for clientSecret requires renewal, can we just add the new value (key value pair), or do we have to revamp/redo the entire Authentication Extensions section? (Script Path, Script Functions, etc...) Ideally, we are hoping that we can just add the new clientSecret and the platform will take care of it. ... View more

I recently started using the HEC with TLS on my standalone testing instance and now I am seeing some behavior that I cannot make sense of. I assume that it is related to the fact that I configured both, TCP Input and HEC Input to use different certificates. The HEC Input is working fine, but when a UF tries to connect to the TCP Input, I get this error: 05-22-2025 07:39:18.469 +0000 ERROR TcpInputProc [2339416 FwdDataReceiverThread] - Error encountered for connection from src=REDACTED:31261. error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed - please check the output of the `openssl verify` command for the certificates involved; note that if certificate verification is enabled (requireClientCert or sslVerifyServerCert set to "true"), the CA certificate and the server certificate should not have the same Common Name. 05-22-2025 07:39:18.555 +0000 ERROR X509Verify [2339416 FwdDataReceiverThread] - Client X509 certificate (CN=REDACTED,CN=A,OU=B,DC=C,DC=D,DC=E) failed validation; error=19, reason="self signed certificate in certificate chain" 05-22-2025 07:39:18.555 +0000 WARN SSLCommon [2339416 FwdDataReceiverThread] - Received fatal SSL3 alert. ssl_state='error', alert_description='unknown CA'. 05-22-2025 07:39:18.555 +0000 ERROR TcpInputProc [2339416 FwdDataReceiverThread] - Error encountered for connection from src=10.253.192.20:32991. error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed - please check the output of the `openssl verify` command for the certificates involved; note that if certificate verification is enabled (requireClientCert or sslVerifyServerCert set to "true"), the CA certificate and the server certificate should not have the same Common Name. On the UF, I can see the following error message: 05-22-2025 07:39:17.953 +0000 WARN SSLCommon [1074 TcpOutEloop] - Received fatal SSL3 alert. ssl_state='SSLv3 read server session ticket A', alert_description='unknown CA'. 05-22-2025 07:39:17.953 +0000 ERROR TcpOutputFd [1074 TcpOutEloop] - Connection to host=REDACTED:9997 failed Below are my config files. I appreciate any pointers as to what  I did wrong. Note: All files which are storing certificates are the "usual" order: For clientCert and serverCert First certificate, then private key For sslRootCAPath First issuing, then Root CA Standalone/Indexer: Server.conf [sslConfig] sslRootCAPath = /opt/splunk/etc/auth/mycerts/cert.pem Inputs.conf [splunktcp-ssl:9997] disabled=0 [SSL] serverCert = /opt/splunk/etc/auth/mycerts/cert0.pem sslPassword = REDACTED requireClientCert = true sslVersions = tls1.2 [http] disabled = 0 enableSSL = 1 serverCert = /opt/splunk/etc/auth/mycerts/cert1.pem sslPassword = REDACTED [http://whatthehec] disabled = 0 token = REDACTED UF: server.conf [sslConfig] serverCert = /mnt/certs/cert0.pem sslPassword = REDACTED sslRootCAPath = /mnt/certs/cert.pem sslVersions = tls1.2 outputs.conf: [tcpout] defaultGroup = def forwardedindex.2.whitelist = (_audit|_introspection|_internal) [tcpout:def] useACK = true server = server:9997 autoLBFrequency = 180 forceTimebasedAutoLB = false autoLBVolume = 5000000 maxQueueSize =100MB connectionTTL = 300 heartbeatFrequency = 350 writeTimeout = 300 sslVersions = tls1.2 clientCert = /mnt/certs/cert0.pem sslRootCAPath = /mnt/certs/cert.pem sslPassword = REDACTED sslVerifyServerCert = true   ... View more