Hi all I have a question about using relaystate with SAML when using Azure Ad B2C as the Idp we successfully managed to integrate Splunk as SP with AD B2C as Idp using SAML and Custom policies Now we want to redirect the users after successfull authentication to another url the only way forward I could find was via the Relaystate parameter below are all the combinations I tried for the Single Sign On (SSO) URL: https://<tenant-id>.b2clogin.com/<tenant-id>.onmicrosoft.com/B2C_1A_signup_signin/samlp/sso/login?SAML_Request=<base64_SAML_Auth_Request>&RelayState=https%3A%2F%2FredirectWebsite.com https://<tenant-id>.b2clogin.com/<tenant-id>.onmicrosoft.com/B2C_1A_signup_signin/samlp/sso/login?RelayState=https%3A%2F%2FredirectWebsite.com https://<tenant-id>.b2clogin.com/<tenant-id>.onmicrosoft.com/B2C_1A_signup_signin/samlp/sso/login?RelayState=https://redirectWebsite.com I keep getting the error error while parsing relaystate. failed to decode relaystate. any advise on how to embed the relaystate in the SSO ... View more

Hi all,   I am trying to get  Azure AD B2C to work as SAML provider for Splunk    anyone managed to get this to work ?    please advise,  I followed all the available online resources but nothing is working  ... View more

Hi,    I am trying to use our Google Idp (Google workspace) to enable SSO on our Splunk.  I followed this link and it worked successfully when adding custom attribute individually to each user.  Now I need to use Google groups for Splunk RBAC so authentication and Authorisation is handled using groups membership. When using the Groups membership, I couldnt find any clear answer from Google or Splunk about what to be used here as App Attribute    I only found this link  which is useless    I raised a support ticket with google and got this answer    Could you advise on how to setup RBAC using google groups membership or help with Google SAML IDP setup      ... View more

Hi,  We have a set of indexers with no public IPs behind AWS NLB  We would like to use AWS certificates that terminate on the NLB We have the ACM pem certifcate and the CA (you cant get the private key)  We tested it using openSSL and it is working using the CAfile  How can I configure my UF to use SSL with only the destination pem and CAfile    Thanks  ... View more

I have created a lookup for a threat feed CSV file we are using.  After deleting all the Lookup CSV files and removing all the peops.conf and Transforms.conf inputs for this lookup from the the deployer, CMn SHs and indexers I still see an error  ... View more

Hi,    I have a HEC input on an indexer.  I am trying to send Palo Alto Traffic Logs over HEC I have the this stanza in the props.conf  [source::hec] pulldown_type = true SHOULD_LINEMERGE = false TIME_PREFIX = ^(?:[^,]*,){5} MAX_TIMESTAMP_LOOKAHEAD = 100 #TRANSFORMS-sourcetype =  pan_traffic REPORT-trafic_fields = pan_trafic_fields     and this in transforms.conf  [pan_trafic_fields] DELIMS = "," FIELDS = "receive_time","serial_number","log_type","log_subtype","src_ip","dest_ip","rule","app","vsys","src_zone","dest_zone","src_interface","dest_interface","log_forwarding_profile","session_id","repeat_count","src_port","dest_port","transport","action","bytes","bytes_out","bytes_in","packets","start_time","duration","http_category","sequence_number","src_location","dest_location","packets_out","packets_in","session_end_reason","dvc_name","action_source","tunnel_id"   I am trying to test it with curl curl -k "https://172.31.72.93:8088/services/collector/raw?cca3-f29f63e09fdc&sourcetype=pan:log" -H "Authorization: Splunk 92a1a276-eee8-XXXX-XXXX-11d002640ad0" -d '"2021/07/05 12:30:06",44A1B3FC68F5304,TRAFFIC,end,103.125.191.136,10.0.0.10,splunk,incomplete,vsys1,untrusted,trusted,ethernet1/3,ethernet1/2,log-forwarding-default,574277,1,52564,8088,tcp,allow,74,74,0,1,"2021/07/05 12:30:06",0,any,730218,"United States",10.0.0.0-10.255.255.255,1,0,aged-out,PA-VM,from-policy,0' the Sourcetype is being recognised by Splunk as pan:traffic as expected but the parsing is not working on the indexers and no fields are showing in my search  am i missing something here      ... View more

Hi, We have PKI infra using root and intermediate certificate servers    I have setup SSL on server.conf and web.conf . using the same pem cert  private key doesnt have password protection    web.conf  [settings] privKeyPath = /opt/splunk/etc/auth/mycerts/server.key serverCert = /opt/splunk/etc/auth/mycerts/server.pem enableSplunkWebSSL = true httpport = 443 server.conf  [sslConfig] sslRootCAPath = /opt/splunk/etc/auth/mycerts/root.pem serverCert = /opt/splunk/etc/auth/mycerts/server.pem sslPassword = I am also using ldap integration over ssl  when i enable sslconfig on server.conf I start getting slow splunk web and 500 internal errors  when I disable sslConfigs Splunk web works find and my certificates are being recognized on the web browser    Can you advise on what could be the cause of this behavior  checking the logs I see the below Errors  from splunkd.log  07-22-2020 09:33:51.954 +0200 ERROR ExecProcessor - message from "/opt/splunk/bin/python2.7 /opt/splunk/etc/apps/splunk_monitoring_console/bin/dmc_config.py" Socket error communicating with splunkd (error=('_ssl.c:726: The handshake operation timed out',)), path = /services/shcluster/config?output_mode=json   from web-service.log    2020-07-22 09:35:57,816 ERROR [5f17ec3fc77f08942c2710] __init__:522 - Socket error communicating with splunkd (error=_ssl.c:1074: The handshake operation timed out), path = /services/server/info 2020-07-22 09:35:57,817 INFO [5f17ec3fc77f08942c2710] startup:139 - Splunk appserver version=UNKNOWN_VERSION build=000 isFree=False isTrial=True 2020-07-22 09:35:57,818 INFO [5f17ec3fc77f08942c2710] decorators:272 - require_login - no splunkd sessionKey variable set; request_path=/en-US/ 2020-07-22 09:35:57,818 INFO [5f17ec3fc77f08942c2710] decorators:280 - require_login - redirecting to login 2020-07-22 09:36:27,994 ERROR [5f17ec5df57f08942c8510] __init__:522 - Socket error communicating with splunkd (error=_ssl.c:1074: The handshake operation timed out), path = /services/server/info       ... View more

Hi, I need to deploy Palo alto Add-On but must ensure it doesnt connect using plain text credentials. Looking at the Add-On settings, there is no option to use SSL for API calls ... View more

I am setting up universal forwarders to run using service account and in Splunk documentations https://docs.splunk.com/Documentation/Splunk/8.0.4/Installation/PrepareyourWindowsnetworkforaSplunkinstallation the GPO section states that we need to give the account domain admin which doesnt make sense ... View more

Hi, Can someone help me understand the difference between pass4symmkey and SSL settings for secure Splunk connections in a distributed environment? What should we use for indexing? Cluster peers communications? ... View more

Hi, I have some S3 access logs in S3 with .gz suffix which is not read by Splunk I am using AWS Add-On to collect these logs using Incremental S3 option and I tried the general option Two questions: 1- Can I using the incremental / generic S3 option blacklist any log file ending with .gz 2- Do I need to add anything within the AWS Add-On settings to allow Splunk to read the .GZ logs I cant attached a photo of how logs appear in Splunk ... View more