An older one, but... as said the `pem`-files under `distSearchKeys` are simply RSA-Private- and corresponding RSA-Public-Key files. These can be created (at least in a Linux environment) using the following commands: 1. Create private key file: `openssl genrsa -out private.pem 2048` 2. Create public key file from private key file: `openssl rsa -in private.pem -pubout -out trusted.pem` The `openssl` binary is located in Splunk's `bin` folder. If you want to create a trusted connection from e.g. a Cluster Master (CM) to an Indexer (IX) manually you just do the following: 1. create a new directory under `distServerKeys` named according to your CM-hostname 2. copy the `trusted.pem` file (i.e. the public key) from the CM's `distServerKeys` directory to the newly created directory on your IX 3. restart Splunk on both (in a cluster according to restart policy/rules) Under "Settings | Distributed search" on the CM you could then see if the connection between CM and IX is established: State = Up, Health status = Healthy If one of the above steps failed you get: State = Down, Health status = Sick (at least this was the output during my experiment I just ran)
... View more