I wanted to add another gotcha I figured out after running through this answers post. It seems in prior versions to 6.5.2, specifically 6.5.0 and 6.5.1 as tested this worked, but now fails in 6.5.2. Customers had the following setting in their server.conf after upgrade: [sslConfig] sslVersions = "tls" Customers whom upgraded to 6.5.2 found that KVSTORE wouldn't start, but splunkd.log didn't show any syntax issues. Only the mongod.log indicated something was wrong "unknown protocol". splunkd.log INFO loader - Server supporting SSL versions SSL3,TLS1.0,TLS1.1,TLS1.2 mongod.log E NETWORK [conn893] SSL: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol D NETWORK [conn893] SocketException: remote: 127.0.0.1:37578 error: 9001 socket exception [CONNECT_ERROR] Removing the double quotes from "tls" fixed the the above issue. So the correct syntax is now: [sslConfig] sslVersions = tls A bug has been created - SPL-138443 ... View more

Please open a Splunk Support case and request the SHA-512 bits. ... View more

Here's a screen shot of the page and were to find the MD5 link. Just do the steps 1. click on free splunk 2. click on uf 3. click on older versions 4. click on download 5. click on download md5 For Splunk 6.5.2 follow this link: https://www.splunk.com/en_us/download/universal-forwarder/thank-you-universalforwarder.html ... View more

The value that changes the "server name" is under the server.conf file. Changing the name should be done in two places, inputs.conf and server.conf. The "host name" value is taken from the server, when the server was first created or changed at the OS level. There isn't a splunk config file that will change the "host name" value. Second, the data coming from the UF, will have the "server name" when it reaches the indexer and can be searched by host="mlp-da02" as in the example above. ... View more

This is a Known Issue SPL-107253 and is fixed in Splunk version 6.3.1 ... View more

This is a Known Issue, SPL-94913 and fixed in Splunk 6.2.2. ... View more

This is most likely because the SSL certificate has been misconfigured. Check your $SPLUNK_HOME\etc\certs\your_name.pem file. Look for a line that resembles the following: -----END CERTIFICATE----------BEGIN CERTIFICATE----- This can cause some serious issues because it cannot be interpreted, as you might have noticed. How to Fix SSL PEM routines:PEM_read_bio:bad end line error To fix this issue, use a text editor of choice and create a line break between the two files, i.e. -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- Tip: Count five hyphens at the start and end of the text. You can now save the file and the error should be fixed! ... View more

I went back to verify the OS that this customer was using and he was using: [System Summary] Item Value OS Name Microsoft Windows Server 2008 R2 Enterprise Version 6.1.7601 Service Pack 1 Build 7601 He did use the MS article to resolve HIS particular issue. ... View more