Hi have you already looked these: https://docs.splunk.com/Documentation/Splunk/9.1.2/Security/AboutsecuringyourSplunkconfigurationwithSSL https://conf.splunk.com/watch/conf-online.html?search.event=conf23&search=SEC1936B#/ r. Ismo ... View more

Hi @dujas, good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated 😉 ... View more

I noticed the splunkdssl is enabled by default in server.conf, after disabling it in config file:   [sslConfig] enableSplunkdSSL = False   Afterwards, I issued the same curl command and got output as below: <entry> <title>http://test3</title> <id>http://<splunk_enterprise_instance_IP>:8089/servicesNS/nobody/splunk_httpinput/data/inputs/http/http%3A%252F%252Ftest3</id> <updated>2023-01-09T14:05:29+08:00</updated> <link href="/servicesNS/nobody/splunk_httpinput/data/inputs/http/http%3A%252F%252Ftest3" rel="alternate"/> <author> <name>admin</name> </author> Token "test3" is the one I create via "http-event-collector" command, it could be loaded successfully, but for tokens created via GUI (before disabling splunkdssl), they are still failed to retrieve. Any ideas why would that happen? ... View more

Splunk builds a consolidated configuration based on various files it has in various directories in its etc/ directory. There is a precedence of files when the settings are applied to the resulting configurations. https://docs.splunk.com/Documentation/Splunk/8.2.6/Admin/Wheretofindtheconfigurationfiles This mechanism lets you deploy a configuration in a modularized way, so you can - for example - distribute an app with a disabled input to all your forwarders and then only overwrite one setting on one forwarder which will effectively enable the input. EDIT: So the question where you _should_ put your file is not a question which has a one good-for-all answer. It's a question which is not a technical one as much as a matter of convention that you follow in your infrastructure and manageability. On a manually managed forwarder, it's probably convenient to overwrite some app's default settings in this app's local/ folder. So for windows inputs I'd probably create etc/TA_windows/local/inputs.conf file which will overwrite selected settings of the default windows inputs. But If I have a huge number of centrally-managed forwarders, I'd rather create a completely separate app with this file which would allow me to simply enable or disable those inputs just by deploying this app or not over a whole class of forwarders. ... View more

Hi @dujas, good for you, see next time! If my answer solves your need, please accept it for the other people of Community. Ciao and happy splunking. Giuseppe P.S.: Karma Points are appreciated 😉 ... View more

Please check splunkd.log on manager node to check if there is any warning like: "05-15-2022 18:50:46.047 +0800 WARN TcpOutputProc [289743 indexerPipe] - The TCP output processor has paused the data flow. Forwarding to host_dest=centos8-5 inside output group my_peers_nodes from host_src=centos8-2 has been blocked for blocked_seconds=420. This can stall the data flow towards indexing and other network outputs. Review the receiving system's health in the Splunk Monitoring Console. It is probably not accepting data." I noticed that port 9997 on centos8-5 is not opened, once I turned it on the error went away. ... View more