Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About BRFZ
BRFZ
Communicator
Member since:
03-26-2024
06-09-2025
Community Statistics
| Posts | 63 |
| Solutions | 0 |
| Karma Given | 26 |
| Karma Received | 1 |
| Member Since | 03-26-2024 |
Activity Feed
- Posted Log retention with archiving in Splunk for a specific index on Getting Data In. 05-22-2025 01:31 AM
- Posted Re: SSL/TLS Configuration on Splunk Forwarder (Windows) on Getting Data In. 03-28-2025 01:46 AM
- Karma Re: SSL/TLS Configuration on Splunk Forwarder (Windows) for kiran_panchavat. 03-28-2025 01:45 AM
- Karma Re: SSL/TLS Configuration on Splunk Forwarder (Windows) for kiran_panchavat. 03-28-2025 01:45 AM
- Karma Re: SSL/TLS Configuration on Splunk Forwarder (Windows) for PickleRick. 03-28-2025 01:44 AM
- Karma Re: SSL/TLS Configuration on Splunk Forwarder (Windows) for kiran_panchavat. 03-28-2025 01:44 AM
- Posted Re: SSL/TLS Configuration on Splunk Forwarder (Windows) on Getting Data In. 03-24-2025 05:47 AM
- Karma Re: SSL/TLS Configuration on Splunk Forwarder (Windows) for kiran_panchavat. 03-24-2025 05:45 AM
- Karma Re: SSL/TLS Configuration on Splunk Forwarder (Windows) for livehybrid. 03-24-2025 05:45 AM
- Posted SSL/TLS Configuration on Splunk Forwarder (Windows) on Getting Data In. 03-24-2025 04:23 AM
- Posted Enterprise security app on Splunk Enterprise Security. 03-21-2025 07:12 AM
- Posted Splunk log retention on Splunk Enterprise. 03-13-2025 03:53 AM
- Posted Re: SSL Configuration Error on Splunk Enterprise. 01-21-2025 05:13 AM
- Posted Re: SSL Configuration Error on Splunk Enterprise. 01-10-2025 02:49 AM
- Posted Re: SSL Configuration Error on Splunk Enterprise. 01-09-2025 07:50 AM
- Posted SSL Configuration Error on Splunk Enterprise. 01-09-2025 02:39 AM
- Tagged SSL Configuration Error on Splunk Enterprise. 01-09-2025 02:39 AM
- Tagged SSL Configuration Error on Splunk Enterprise. 01-09-2025 02:39 AM
- Posted Re: How to secure the Splunk platform with SSL on Deployment Architecture. 01-02-2025 01:15 AM
- Karma Re: How to secure the Splunk platform with SSL for isoutamo. 01-02-2025 01:11 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
05-22-2025
01:31 AM
Hello, I'm looking to set up a log retention policy for a specific index, for example index=test. Here's what I'd like to configure: - Total retention time = 24 hours - First 12 hours in hot+warm, then - Next 12 hours cold. - After that, the data should be archived (not deleted). How exactly should I configure this please? Also does the number of buckets need to be adjusted to support this setup properly on such a short timeframe? Thanks in advance for your help.
... View more
03-28-2025
01:46 AM
Hello, @kiran_panchavat, @PickleRick , @livehybrid Thank you for your responses; they were very helpful for me. However, I would like to know if you happen to know why I am getting ack set to false?
... View more
03-24-2025
05:47 AM
@kiran_panchavat, Thank you for your response. I reviewed the documentation, and I found the following phrase for configuring SSL on both indexers and forwarders (non-Windows): "On forwarders that do not run on Windows, open the server.conf configuration file for editing. Add the following stanza and settings to the file: [sslConfig] sslRootCAPath = <absolute path to the certificate authority certificate>" Based on this, it seems that the CA configuration is required only on non-Windows systems (Linux). Could you please confirm if this configuration is needed for Windows forwarders as well? Thank you for your help!
... View more
03-24-2025
04:23 AM
Hello, I’ve been reviewing the documentation for configuring SSL/TLS on a Splunk forwarder, but I couldn’t find the specific steps for setting it up on a Windows machine. Would anyone be able to provide the procedure or a link to the relevant documentation? Best regards,
... View more
Labels
- Labels:
-
host
-
indexer
-
universal forwarder
-
Windows
03-21-2025
07:12 AM
Hello, I am currently working on configuring Splunk Enterprise Security app, I already have data flowing into Splunk Enterprise, but I'm not sure how to properly configure the data inputs for the app. Could anyone guide me on how to configure the data sources in Enterprise Security app ? If there is any specific documentation on this, I would appreciate it if you could provide it.
... View more
Labels
03-13-2025
03:53 AM
Hello, I would like to know if it possible to define the retention period for each type of log (Hot/Warm/Cold). For example, setting the total frozenTimePeriodInSecs to 3 years while specifying a 1 year retention period for each stage (Hot,Warm and Cold). Could you please clarify this?
... View more
- Tags:
- Log Retention
Labels
01-21-2025
05:13 AM
Hello,
The configuration files contain the following:
[sslConfig]
enableSplunkdSSL = true
sslPassword = value
sslRootCAPath = /path/to/ca/cert
serverCert = /path/to/srv/cert
caTrustStore = splunk
caTrustStorePath = path/to/trust/ca
caPath = path/to/trust/c
caCertFile = path/to./ca
Yes, the connection was to the management port.
The self-signed certificate was only for the web interface (and I have no issues regarding that).
However, the problem lies between the components of the architecture.
... View more
01-10-2025
02:49 AM
Hello, I ran the following command: curl -vk https://host:port and received this : * Trying host:port... * Connected to host (host) port port (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * TLSv1.0 (OUT), TLS header, Certificate Status (22): * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS header, Certificate Status (22): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS header, Certificate Status (22): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS header, Certificate Status (22): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS header, Certificate Status (22): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS header, Certificate Status (22): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS header, Finished (20): * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.2 (OUT), TLS header, Certificate Status (22): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS header, Finished (20): * TLSv1.2 (IN), TLS header, Certificate Status (22): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 * ALPN, server did not agree to a protocol * Server certificate: * subject: CN=*.example.com * start date: Feb 19 15:15:40 2024 GMT * expire date: Jan 19 14:02:43 2025 GMT * issuer: C=*; ST=*; L=*; O=SSL Corporation; CN= * SSL certificate verify result: self-signed certificate in certificate chain (19), continuing anyway. * TLSv1.2 (OUT), TLS header, Supplemental data (23): > GET / HTTP/1.1 > Host: host:port > User-Agent: curl/7.81.0 > Accept: */* > * TLSv1.2 (IN), TLS header, Supplemental data (23): * Mark bundle as not supporting multiuse < HTTP/1.1 200 OK < Date: Sun, 6 Jan 2025 08:30:21 GMT < Content-Type: text/xml; charset=UTF-8 < X-Content-Type-Options: nosniff < Content-Length: 1994 < Connection: Keep-Alive < X-Frame-Options: SAMEORIGIN < Server: Splunkd < * TLSv1.2 (IN), TLS header, Supplemental data (23): <?xml version="1.0" encoding="UTF-8"?> <!--This is to override browser formatting; see server.conf[httpServer] to disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .--> <?xml-stylesheet type="text/xml" href="/static/atom.xsl"?> <title>splunkd</title> <updated>2025-01-06T09:30:21+01:00</updated> <generator build="d8bb32809498" version="9.3.2"/> <author> <name>Splunk</name> </author> <entry> <title>services</title> <updated>1970-01-01T01:00:00+01:00</updated> <link href="/services" rel="alternate"/> </entry> <entry> <title>servicesNS</title> <updated>1970-01-01T01:00:00+01:00</updated> <link href="/servicesNS" rel="alternate"/> </entry> <entry> <title>static</title> <updated>1970-01-01T01:00:00+01:00</updated> <link href="/static" rel="alternate"/> </entry> </feed> * Connection #0 to host host left intact For security reasons some fields have been removed/changed.
... View more
01-09-2025
07:50 AM
Hello, In the first one I tested the OS's OpenSSL and with the command you mentioned, I get the following response: read:errno=0.
... View more
01-09-2025
02:39 AM
Hello SplunkCommunity, After configuring SSL, when I execute the following command: openssl s_client -showcerts -connect host:port I am encountering the following error: 803BEC33F07F0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:../ssl/record/rec_layer_s3.c:317: Could anyone help me understand why I am seeing this error and assist me in resolving it? Thank you in advance for your help. Best regards,
... View more
- Tags:
- certificate
- ssl
Labels
01-02-2025
01:15 AM
Thank you so much for your help. I am pleased to share that I was able to resolve the initial issue by adjusting the PEM file. However, when I execute the command: openssl s_client -showcerts -connect hostname:port I get a connected status, but it ultimately results in the following error: 80FB2563307F0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:../ssl/record/rec_layer_s3.c:317: Additionally, another error is displayed: Verification error: self-signed certificate in certificate chain Your help would be greatly appreciated.
... View more
12-31-2024
01:28 AM
Here is the configuration file.
[sslConfig]
enableSplunkdSSL = true
sslRootCAPath = /opt/splunk/etc/auth/cert/CA.pem
serverCert = /opt/splunk/etc/auth/cert/srv.pem
For the PEM files, as mentioned earlier, they contain the 'BEGIN CERTIFICATE' and 'END CERTIFICATE' sections.
... View more
12-31-2024
12:58 AM
From what I understand, I need to combine the .pem file with the private key, and this combined file is what I should use in the configuration, correct ?
... View more
12-31-2024
12:39 AM
The format of a .pem file is as follows: -----BEGIN CERTIFICATE----- -----END CERTIFICATE-----
... View more
12-30-2024
07:38 AM
Yes, I have verified it, and everything is correct.
... View more
12-30-2024
07:23 AM
Hi Dear Community, I am encountering the following error across all servers: SSLCommon - Can't read key file from /opt/splunk/etc/auth/CERT.pem
... View more
12-24-2024
05:53 AM
I have followed the configuration steps as outlined, but unfortunately, I have lost the connection between the components. I have applied the certificate configurations and other related settings in server.conf, including modifying the search peers to use HTTPS in distsearch.conf. I also modified the master license slave to use HTTPS, but I did not make any changes to the license master itself. Could you confirm if there are any specific configurations required on the master license? After applying the changes, the Server Manager has become extremely slow, and I can no longer access its web interface. Additionnaly, I lost connectivity between the components. Is there someone who could help me with resolving this issue please?
... View more
12-24-2024
05:42 AM
Hello Splunk Community, I am working on the configuration of a distributed Splunk deployment, and I need clarification regarding the KV Store. Could you please confirm where the KV Store should be configured in a distributed environment? Should it be enabled on the Search Heads, Indexers, or another component of the deployment? Any guidance on best practices would be greatly appreciated. Thank you for your help! Best regards,
... View more
Labels
12-18-2024
02:50 AM
1 Karma
@richgalloway @PickleRick @isoutamo Thank you all for your responses. This information is very helpful for me to better understand this topic.
... View more
12-18-2024
02:30 AM
Thank you for your response and the provided documentation. I’ve already followed the steps, but encountered communication issues and I had to reset the configuration in order to restore connectivity. Could you please provide a more detailed procedure or tailored guidance for my case to help me securely configure TLS/SSL?
... View more
12-17-2024
03:03 AM
Hello, I know that it is necessary to do this for the forwarders but I would like to confirm whether it is necessary to add other components (such as indexers, search heads) as clients to our Deployment Server in Splunk environment. We currently have a Deployment Server set up, but we are unsure if registering the other instances as clients is a required step, or if any specific configurations need to be made for each type of component. Thank you in advance. Best regards,
... View more
Labels
12-16-2024
07:25 AM
Hi Splunk Community, I recently upgraded my Splunk environment from version 9.1.1 to the latest version. After the upgrade, I’m encountering errors when trying to restart Splunk across different components. For example, I get the following error: Invalid key in stanza [default] in /opt/splunk/etc/system/local/indexes.conf, line 132: archiver.enableDataArchive (value: false) It seems like some configuration keys are no longer valid in the updated version. Has anyone faced similar issues, and how can I resolve these errors to ensure my configurations are compatible with the latest Splunk version? Thanks in advance for your help! Best regards,
... View more
Labels
11-28-2024
06:43 AM
Hello, I would like to confirm if it is possible to upgrade Splunk directly from version 9.1.1 to 9.3 on Linux, without going through version 9.2. Could you please clarify if this is supported and if there are any specific considerations for this process? Best regards,
... View more
Labels
11-25-2024
07:48 AM
Hello, I have a server configured with three roles: Deployment Server, Console Monitoring, and License Master. However, I am not receiving the internal and audit logs from this server, such as logs from the Search Head or Indexers. If you have any solutions to this problem, I would greatly appreciate your help.
... View more
Labels
11-12-2024
06:42 AM
Thank you @dural_yyz for your prompt response and for providing the documentation. However, I need further assistance regarding the SSL certificates that need to be generated for my Splunk environment. Could you please clarify whether I need to generate a separate certificate for each component (e.g., search head, indexers, forwarders, etc.)? Additionally, do I need to create different certificates for the various connections between these components?
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-09-2025
06:51 AM
|
Karma given to
