Hello, I would like to change the SPLUNK_DB value of my indexers inside my cluster. I want to write the logs to another directory but i don't want to bring the old logs. Will this cause problems? Could you please provide the detailed steps on how to do it? I have already tried to change the path on splunk-launch.conf (and the environment variable value on the os) but the servers keep writing in the old directory.   Thanks a lot ... View more

Hello everybody, can you please tell where i am making errors? I can't make the https splunk web load with my self signed certificate.  I have a test environment, one Splunk Server where i have executed the following steps: mkdir $SPLUNK_HOME/etc/auth/mycerts cd $SPLUNK_HOME/etc/auth/mycerts $SPLUNK_HOME/bin/splunk cmd openssl genrsa -aes256 -out CAPK.key 2048 # Root CA private key $SPLUNK_HOME/bin/splunk cmd openssl req -new -key CAPK.key -out CACSR.csr # Root CA signing request # a this point in the Common Name i have tried putting everything, hostname, private ip, localhost, ecc but i doesn't seem to make any difference $SPLUNK_HOME/bin/splunk cmd openssl x509 -req -in CACSR.csr -sha512 -signkey CAPK.key -CAcreateserial -out CACE.pem -days 1095 # my CA certificate $SPLUNK_HOME/bin/splunk cmd openssl genrsa -aes256 -out DEPPK.key 2048 # i have configured the same password for both keys but i doesn't seem to be the problem $SPLUNK_HOME/bin/splunk cmd openssl req -new -key DEPPK.key -out DEPCSR.csr # for the Common Name value i have tried the same things for the CA $SPLUNK_HOME/bin/splunk cmd openssl x509 -req -in DEPCSR.csr -SHA256 -CA CACE.pem -CAkey CAPK.key -CAcreateserial -out DEPCE.pem -days 1095 cat DEPCE.pem DEPPK.key CACE.pem > DEPCEchain.pem # in the /opt/splunk/etc/system/local/web.conf i have written: [settings] enableSplunkWebSSL = true privKeyPath = /opt/splunk/etc/auth/mycerts/DEPPK.key serverCert = /opt/splunk/etc/auth/mycerts/DEPCEchain.pem startwebserver = 1 httpport = 8000 # to see if the connection to the server is going well i use openssl s_client -connect 192.168.1.11:8000 # OR openssl s_client -connect 127.0.0.1:8000 # and it says CONNECTED(00000003) unfortunatly if i try to navigate splunk web on https it doesn't load # i have tried putting the certificates inside /opt/splunk/etc/auth/splunkweb and then colling them in web.conf but nothing happens # this is what is written inside server.conf: [sslConfig] sslRootCAPath = /opt/splunk/etc/auth/mycerts/CertificateAuthorityCertificate.pem sslPassword = $7$7OQ1bcyW5b53gGJ/us2ExVKxerWlcolKjoS1j7pZ05QpmNmIUt7NQw==  I don't know what to try next, i can't find a solution, no matter what i try it won't load on splunk web. Maybe it can help saying that i call https://192.168.1.11:8000/  on the browser. Even tried putting sslPassword inside web.conf with the key password but nothing changed. ... View more

Hello, I am having troubles with the installation of Splunk Enterprise as non-root user. I think it may be some kind of problem with Red Hat Enterprise v9 or maybe systemd. Online, even in the documentation and in the community, i was not able to find precise informations on how to execute the installation as non-root user (even for non-fedora systems). Consulting online resources i came up with this steps:      sudo su useradd splunk mv package.rpm /tmp; cd tmp rpm -i package.rpm ls -l /opt/ | grep splunk #i don't give ownership to /opt/splunk to the user splunk because with the installation it is automatic su - splunk cd /opt/splunk/bin ./splunk start --accept-license PIDS=$(/opt/splunk/bin/splunk status | grep splunkd | awk {'print$5'} | tr -d \)\.); ps -p $PIDS -o ruser= #to check if it is executed by splunk ./splunk stop exit /opt/splunk/bin/splunk enable boot-start -systemd-managed 1 #the boot-start is started after the /splunk start, for some strange reason if i put the boot-start before the start it doesn't let me use the splunk command su - splunk /opt/splunk/bin/splunk start exit # for the integrated firewall problem: sudo su firewall-cmd --zone=public --add-port=8000/tcp --permanent; firewall-cmd --zone=public --add-port=8089/tcp --permanent; firewall-cmd --zone=public --add-port=9997/tcp --permanent; firewall-cmd --zone=public --add-port=9887/tcp --permanent; firewall-cmd --reload        they are far from perfect but for some strange reason this steps make it all work. Unfortunatly i am not confident with this solution and i don't want to use it in a production enviroment. So i am here to ask you if some of you know some better steps to do this installation. If you have some best practices that i am ignoring i would be glad to hear them. Thanks a lot in advance 🙂 ... View more

Hello, I am currently receiving firewall data on my heavy forwarder on a specific port number. On the HF there is an simple inputs.conf with [udp://:portnumber] sourcetype=fgt_log index=fw_data and an outputs.conf that sends all to the indexers. The problem is that i am receiving a lot of garbage traffic (like DNS traffic to 8.8.8.8 or 8.8.4.4). I don't want to index this data. I don't have access to the firewall so i can't just stop it there.  I thought that a blacklist would stop the events from coming. (I tried a simple blacklist like the ones used under the [monitor] stanza. Something like this: blacklist=(dstip=8\.8\.8\.8|dstip=8\.8\.4\.4|service="DNS")) Unfortunately it didn't work... I made some research but i only found the "acceptFrom" that in this situation i don't think it's useful. Came across this post but wasn't useful https://community.splunk.com/t5/Getting-Data-In/Blacklist-a-host-hosts-is-sending-logs-to-Splunk-via-TCP/m-p/289283 Any tips?  ... View more

Hello,  I'm having troubles creating a dashboard panel that can list values inserted by other users. The panel has an input field where users will put specific ip addressess that mast be added to this "list".  The only solution i came up with is a lookup file that will be updated with new rows every time a user adds a value as input. I have tried this query that i saw on https://blog.avotrix.com/how-to-add-new-fields-in-existing-lookup-file/ :  | inputlookup ip_sospetti append=true | append [| stats count | eval IP="$added_ip_token$" | table IP] | outputlookup ip_sospetti.csv This search adds just one value to the lookup file and when a new input is added it changes the last value inserted. Do you guys have a better solution or maybe an idea to make this query work? Thanks a lot. ... View more