×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
BRFZ
Communicator
Member since: ‎03-26-2024
‎02-10-2026
Community Statistics
Posts 66
Solutions 0
Karma Given 26
Karma Received 1
Member Since ‎03-26-2024
Activity Feed
Topics I've Started
View All

Re: Missing logs

by in Splunk Enterprise
‎02-02-2026 12:37 AM
‎02-02-2026 12:37 AM
Hi @livehybrid  Thank you for your response. I have verified this point, and the ownership of all buckets is set to the user that Splunk is running as.   ... View more

Missing logs

by in Splunk Enterprise
‎01-30-2026 01:43 AM
‎01-30-2026 01:43 AM
Hi everyone,  I'm facing an issue on my Splunk environment and I'd like your advice. After an upgrade, I noticed that I still had to restart/start/stop the Splunk process using sudo (even though before the upgrade it was already running under the correct user : USERX). To address this, I stopped the Splunk on Indexers (not at the same time) and reassigned Splunk to run under USERX. After this operation, I realized that one full day of logs is missing. The issue is that before making this change, I didn't verify whether the logs for that specific day already existed, so I can't say for sure if the gap appeared exactly at that moment. If anyone has seen something similar or has any ideas, I'd really appreciate your help. Thank you in advance. ... View more
Labels

Daily license usage exceeded

by in Splunk Enterprise
‎01-19-2026 05:36 AM
‎01-19-2026 05:36 AM
Hello everyone,  We have noticed a sudden and unexpected increase in daily license usage in our Splunk environment over the past few days, causing the license threshold to be exceeded.   While investigating the source of this increase, we identified an index that had previously generated a high volume of data. However, since the license usage started exceeding the limit, this same index is now showing 0 events ingested. This behavior seems inconsistent, as the index that appears related to the spike is no longer ingesting any data. Has anyone encountered a similar issue before? Thank you in advance.   ... View more

Log retention with archiving in Splunk for a speci...

by in Getting Data In
‎05-22-2025 01:31 AM
‎05-22-2025 01:31 AM
Hello, I'm looking to set up a log retention policy for a specific index, for example index=test. Here's what I'd like to configure: - Total retention time = 24 hours - First 12 hours in hot+warm, then - Next 12 hours cold. - After that, the data should be archived (not deleted). How exactly should I configure this please? Also does the number of buckets need to be adjusted to support this setup properly on such a short timeframe? Thanks in advance for your help.   ... View more
Labels

Re: SSL/TLS Configuration on Splunk Forwarder (Win...

by in Getting Data In
‎03-28-2025 01:46 AM
‎03-28-2025 01:46 AM
Hello, @kiran_panchavat, @PickleRick , @livehybrid  Thank you for your responses; they were very helpful for me. However, I would like to know if you happen to know why I am getting ack set to false? ... View more

Re: SSL/TLS Configuration on Splunk Forwarder (Win...

by in Getting Data In
‎03-24-2025 05:47 AM
‎03-24-2025 05:47 AM
@kiran_panchavat, Thank you for your response. I reviewed the documentation, and I found the following phrase for configuring SSL on both indexers and forwarders (non-Windows): "On forwarders that do not run on Windows, open the server.conf configuration file for editing. Add the following stanza and settings to the file: [sslConfig] sslRootCAPath = <absolute path to the certificate authority certificate>" Based on this, it seems that the CA configuration is required only on non-Windows systems (Linux). Could you please confirm if this configuration is needed for Windows forwarders as well? Thank you for your help! ... View more

SSL/TLS Configuration on Splunk Forwarder (Windows...

by in Getting Data In
‎03-24-2025 04:23 AM
‎03-24-2025 04:23 AM
Hello, I’ve been reviewing the documentation for configuring SSL/TLS on a Splunk forwarder, but I couldn’t find the specific steps for setting it up on a Windows machine. Would anyone be able to provide the procedure or a link to the relevant documentation? Best regards, ... View more

Enterprise security app

by in Splunk Enterprise Security
‎03-21-2025 07:12 AM
‎03-21-2025 07:12 AM
Hello, I am currently working on configuring Splunk Enterprise Security app, I already have data flowing into Splunk Enterprise, but I'm not sure how to properly configure the data inputs for the app. Could anyone guide me on how to configure the data sources in Enterprise Security app ? If there is any specific documentation on this, I would appreciate it if you could provide it. ... View more

Splunk log retention

by in Splunk Enterprise
‎03-13-2025 03:53 AM
‎03-13-2025 03:53 AM
Hello, I would like to know if it possible to define the retention period for each type of log (Hot/Warm/Cold). For example, setting the total frozenTimePeriodInSecs to 3 years while specifying a 1 year retention period for each stage (Hot,Warm and Cold). Could you please clarify this? ... View more

Re: SSL Configuration Error

by in Splunk Enterprise
‎01-21-2025 05:13 AM
‎01-21-2025 05:13 AM
Hello, The configuration files contain the following: [sslConfig] enableSplunkdSSL = true sslPassword = value sslRootCAPath = /path/to/ca/cert serverCert = /path/to/srv/cert caTrustStore = splunk caTrustStorePath = path/to/trust/ca caPath = path/to/trust/c caCertFile = path/to./ca Yes, the connection was to the management port. The self-signed certificate was only for the web interface (and I have no issues regarding that). However, the problem lies between the components of the architecture. ... View more

Re: SSL Configuration Error

by in Splunk Enterprise
‎01-10-2025 02:49 AM
‎01-10-2025 02:49 AM
Hello, I ran the following command: curl -vk https://host:port and received this : *   Trying host:port... * Connected to host (host) port port (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * TLSv1.0 (OUT), TLS header, Certificate Status (22): * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS header, Certificate Status (22): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS header, Certificate Status (22): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS header, Certificate Status (22): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS header, Certificate Status (22): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS header, Certificate Status (22): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS header, Finished (20): * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.2 (OUT), TLS header, Certificate Status (22): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS header, Finished (20): * TLSv1.2 (IN), TLS header, Certificate Status (22): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 * ALPN, server did not agree to a protocol * Server certificate: *  subject: CN=*.example.com *  start date: Feb 19 15:15:40 2024 GMT *  expire date: Jan 19 14:02:43 2025 GMT *  issuer: C=*; ST=*; L=*; O=SSL Corporation; CN= *  SSL certificate verify result: self-signed certificate in certificate chain (19), continuing anyway. * TLSv1.2 (OUT), TLS header, Supplemental data (23): > GET / HTTP/1.1 > Host: host:port > User-Agent: curl/7.81.0 > Accept: */* > * TLSv1.2 (IN), TLS header, Supplemental data (23): * Mark bundle as not supporting multiuse < HTTP/1.1 200 OK < Date: Sun, 6 Jan 2025 08:30:21 GMT < Content-Type: text/xml; charset=UTF-8 < X-Content-Type-Options: nosniff < Content-Length: 1994 < Connection: Keep-Alive < X-Frame-Options: SAMEORIGIN < Server: Splunkd < * TLSv1.2 (IN), TLS header, Supplemental data (23): <?xml version="1.0" encoding="UTF-8"?> <!--This is to override browser formatting; see server.conf[httpServer] to disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .--> <?xml-stylesheet type="text/xml" href="/static/atom.xsl"?>   <title>splunkd</title>   <updated>2025-01-06T09:30:21+01:00</updated>   <generator build="d8bb32809498" version="9.3.2"/>   <author>     <name>Splunk</name>   </author>   <entry>     <title>services</title>     <updated>1970-01-01T01:00:00+01:00</updated>     <link href="/services" rel="alternate"/>   </entry>   <entry>     <title>servicesNS</title>     <updated>1970-01-01T01:00:00+01:00</updated>     <link href="/servicesNS" rel="alternate"/>   </entry>   <entry>     <title>static</title>          <updated>1970-01-01T01:00:00+01:00</updated>     <link href="/static" rel="alternate"/>   </entry> </feed> * Connection #0 to host host left intact   For security reasons some fields have been removed/changed. ... View more

Re: SSL Configuration Error

by in Splunk Enterprise
‎01-09-2025 07:50 AM
‎01-09-2025 07:50 AM
Hello, In the first one I tested the OS's OpenSSL and with the command you mentioned, I get the following response: read:errno=0. ... View more

SSL Configuration Error

by in Splunk Enterprise
‎01-09-2025 02:39 AM
‎01-09-2025 02:39 AM
Hello SplunkCommunity, After configuring SSL, when I execute the following command: openssl s_client -showcerts -connect host:port I am encountering the following error: 803BEC33F07F0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:../ssl/record/rec_layer_s3.c:317: Could anyone help me understand why I am seeing this error and assist me in resolving it? Thank you in advance for your help. Best regards,   ... View more

Re: How to secure the Splunk platform with SSL

by in Deployment Architecture
‎01-02-2025 01:15 AM
‎01-02-2025 01:15 AM
Thank you so much for your help. I am pleased to share that I was able to resolve the initial issue by adjusting the PEM file. However, when I execute the command: openssl s_client -showcerts -connect hostname:port I get a connected status, but it ultimately results in the following error: 80FB2563307F0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:../ssl/record/rec_layer_s3.c:317: Additionally, another error is displayed: Verification error: self-signed certificate in certificate chain Your help would be greatly appreciated. ... View more

Re: How to secure the Splunk platform with SSL

by in Deployment Architecture
‎12-31-2024 01:28 AM
‎12-31-2024 01:28 AM
Here is the configuration file.  [sslConfig] enableSplunkdSSL = true sslRootCAPath = /opt/splunk/etc/auth/cert/CA.pem serverCert = /opt/splunk/etc/auth/cert/srv.pem For the PEM files, as mentioned earlier, they contain the 'BEGIN CERTIFICATE' and 'END CERTIFICATE' sections. ... View more

Re: How to secure the Splunk platform with SSL

by in Deployment Architecture
‎12-31-2024 12:58 AM
‎12-31-2024 12:58 AM
From what I understand, I need to combine the .pem file with the private key, and this combined file is what I should use in the configuration, correct ?  ... View more

Re: How to secure the Splunk platform with SSL

by in Deployment Architecture
‎12-31-2024 12:39 AM
‎12-31-2024 12:39 AM
The format of a .pem file is as follows:  -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- ... View more

Re: How to secure the Splunk platform with SSL

by in Deployment Architecture
‎12-30-2024 07:38 AM
‎12-30-2024 07:38 AM
Yes, I have verified it, and everything is correct. ... View more

Re: How to secure the Splunk platform with SSL

by in Deployment Architecture
‎12-30-2024 07:23 AM
‎12-30-2024 07:23 AM
Hi Dear Community, I am encountering the following error across all servers: SSLCommon - Can't read key file from /opt/splunk/etc/auth/CERT.pem ... View more

Re: How to secure the Splunk platform with SSL

by in Deployment Architecture
‎12-24-2024 05:53 AM
‎12-24-2024 05:53 AM
I have followed the configuration steps as outlined, but unfortunately, I have lost the connection between the components. I have applied the certificate configurations and other related settings in server.conf, including modifying the search peers to use HTTPS in distsearch.conf. I also modified the master license slave to use HTTPS, but I did not make any changes to the license master itself. Could you confirm if there are any specific configurations required on the master license? After applying the changes, the Server Manager has become extremely slow, and I can no longer access its web interface. Additionnaly, I lost connectivity between the components.  Is there someone who could help me with resolving this issue please? ... View more

KV Store Configuration in Distributed Deployment

by in Deployment Architecture
‎12-24-2024 05:42 AM
‎12-24-2024 05:42 AM
Hello Splunk Community, I am working on the configuration of a distributed Splunk deployment, and I need clarification regarding the KV Store. Could you please confirm where the KV Store should be configured in a distributed environment? Should it be enabled on the Search Heads, Indexers, or another component of the deployment? Any guidance on best practices would be greatly appreciated. Thank you for your help! Best regards, ... View more

Re: Deployment Server Clients

by in Splunk Enterprise
‎12-18-2024 02:50 AM
1 Karma
‎12-18-2024 02:50 AM
1 Karma
@richgalloway @PickleRick @isoutamo Thank you all for your responses. This information is very helpful for me to better understand this topic. ... View more

Re: How to secure the Splunk platform with SSL

by in Deployment Architecture
‎12-18-2024 02:30 AM
‎12-18-2024 02:30 AM
Thank you for your response and the provided documentation. I’ve already followed the steps, but encountered communication issues and I had to reset the configuration in order to restore connectivity. Could you please provide a more detailed procedure or tailored guidance for my case to help me securely configure TLS/SSL? ... View more

Deployment Server Clients

by in Splunk Enterprise
‎12-17-2024 03:03 AM
‎12-17-2024 03:03 AM
Hello, I know that it is necessary to do this for the forwarders but I would like to confirm whether it is necessary to add other components (such as indexers, search heads) as clients to our Deployment Server in Splunk environment. We currently have a Deployment Server set up, but we are unsure if registering the other instances as clients is a required step, or if any specific configurations need to be made for each type of component. Thank you in advance. Best regards, ... View more

Errors After Upgrading Splunk from 9.1.1 to Latest...

by in Splunk Enterprise
‎12-16-2024 07:25 AM
‎12-16-2024 07:25 AM
  Hi Splunk Community, I recently upgraded my Splunk environment from version 9.1.1 to the latest version. After the upgrade, I’m encountering errors when trying to restart Splunk across different components. For example, I get the following error: Invalid key in stanza [default] in /opt/splunk/etc/system/local/indexes.conf, line 132: archiver.enableDataArchive (value: false) It seems like some configuration keys are no longer valid in the updated version. Has anyone faced similar issues, and how can I resolve these errors to ensure my configurations are compatible with the latest Splunk version? Thanks in advance for your help! Best regards, ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎02-10-2026 01:36 AM
Karma from
View All
Karma given to