×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
anmolxmr
Explorer
Member since: ‎01-28-2026
a week ago
Community Statistics
Posts 6
Solutions 0
Karma Given 1
Karma Received 1
Member Since ‎01-28-2026
Activity Feed
View All

Re: Splunk KnowBe4 Integration

by in Getting Data In
a week ago
a week ago
@inventsekar thanks for your help. I've joined the Slack community and tried a recommendation from there as well with no success. Since we are ingesting the logs from SaaS to on-prem, the issue is likely in the SSL cert validation. We have requested for a domain and associated SSL cert.   Also scheduled a call with KnowBe4 support. Hopefully we are nearing resolution on this.  ... View more

Re: Splunk KnowBe4 Integration

by in Getting Data In
a week ago
a week ago
The integration still doesn't work. Getting the following error on the Heavy Forwarder where the connection has been made:   WARN HttpListenener [6454 HttpDedicatedIoThread-1] - Socket error from <Knowbe4 IP address> while idling: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca - please check the output of the `openssl verify` command for certificates involved; note that ig certificate validation is enabled (requireClientCert or sslVerifyServerCert set to "true"), the CA certificate and the server certificate should not have the same Common Name.     ... View more

Re: Splunk KnowBe4 Integration

by in Getting Data In
2 weeks ago
1 Karma
2 weeks ago
1 Karma
Hey @inventsekar context - I am using Splunk Enterprise running 9.4.7 and my HF is running 9.2.6 1. Created the KnowBe4 HEC Token on Heavy Forwarder 2. Created the index on the CM and pushed to the indexer cluster 3. Checked the FW logs and found that FW is accepting events from KnowBe4 IPs 4. Setup the index, sourcetype and  5. Crafted a test HEC payload and sent to HF via localhost (the HF itself) and confirmed the events are being indexed to the "Default" index 6. Added the URL and necessary details to knowbe4 following the developer's document. (except for the Authorization parameter which I am unable to setup) The missing items are as follows: 1. Haven't created the indexes.conf file on the HF, so I am unable to select the index from the drop-down within the HEC token settings on the UI.  2. On the KnowBe4 side when I try to add the Authorization parameter with value "Splunk <HEC TOKEN>", it gives me an error saying "This value is blacklisted". Raised a support case with KnowBe4.   There is no ERROR or WARN log for any meaningful troubleshooting so I am unable to proceed further on this request. Raised a Splunk support ticket as well so that is in-progress as well. Any ideas?      ... View more

Re: Splunk KnowBe4 Integration

by in Getting Data In
2 weeks ago
2 weeks ago
I tried the configuration mentioned in the document, but it doesn't seem to be working for me. Does anyone have any more updated documentation on how this can be done?  ... View more

Server Class Groups to install this app on

by in Getting Data In
‎02-22-2026 10:29 PM
‎02-22-2026 10:29 PM
What Splunk servers should the installation be on? What components of the app will go into  - HF - Cluster Master - Search Head Could you please clarify this?    I tried installing, but getting the error related to PersistentScript - ERROR PersistentScript [17816 PersistentScriptIo]  ... View more

mc_investigations data is not populated - ES 8.3

by in Splunk Enterprise Security
‎01-28-2026 10:14 PM
‎01-28-2026 10:14 PM
I have pushed the TA_ForIndexers app to the Indexers from the Cluster Manager to create all the "mc_" indexes, but the investigation data is not flowing into these indexes. What more is needed? I am using ES version 8.3 ... View more
Contact Me
Online Status
Offline
Date Last Visited
a week ago
Karma from
View All
Karma given to
View All