Splunk Cloud Platform

Action Needed for Forwarder Certificate Expiry

Path Finder

Hi Team,

My universal forwarder certificate package, will be expiring soon in my splunk cloud environment. As a result, splunk vendor updated forwarder package on stack with updated certificates to be deployed across any forwarders that connect directly to my Splunk instance.

My Action: I should download and install the updated Universal Forwarder certificate package on all forwarders prior to the upcoming maintenance window.

Can someone elaborate the pre-conditions and further steps to be taken care before my maintenance window.

FYI - I have the splunkclouduf.spl package





Labels (1)
Tags (1)
0 Karma


Hi @SabariRajanT 

I am on Splunk cloud and we receive this notification quarterly.Below are the steps which we followed.

1. Download the Splunk UF credential package and untar it and deploy it to /opt/splunkforwarder/etc/apps folder on all the Splunk agents via Deployment Server (or)
2. You can manually place the file under the /opt/splunkforwarder/etc/apps folder and do a Splunk restart that would suffice.


After performing this, if you want to check whether the UF's are reporting the legacy or new certificate package, run the below search on your search head.


index=_internal source=metrics.log group=tcpout_connections name=splunkcloud
| stats latest(_time) AS _time latest(name) AS name by host
| rex field=name "(?<output_group>.+?):"
| eval fwd_config=if(output_group="splunkcloud","legacy","new")
| stats count by _time host output_group fwd_config
| reltime
| fields _time reltime host output_group fwd_config
| sort 0 fwd_config

0 Karma



at least you should check what is the earliest time when the new certificate is valid and you can start to use it. Here is one way to check it.

  1. Unpack your splunclouduf.spl in your disk.
  2. Check certs start time:
    1. splunk cmd openssl x509 -in 100_<Your_Stack_Name>_splunkcloud/default/splunktrust_server.pem -text -noout|egrep "Not Before"

Disclaimer: I haven't yet need to update current splunk cloud certificates, so I'm not sure it this is need or not. Maybe they inform you just after this is already valid?

0 Karma

Path Finder

Hi @isoutamo 

Thanks for your response,

I have the updated certificates in handy, Im planning to proceed below way, Kindly assist

1)Installing the forwarder credentials on many forwarders using a deployment server

  1. From Splunk Cloud Platform instance, go to Apps > Universal Forwarder.
  2. Click Download Universal Forwarder Credentials.
  3. Note the location where the credentials file was downloaded. The credentials file is named splunkclouduf.spl.
  4. Copy the file to your /tmp folder.
  5. (optional) Use file management tools to move the splunkclouduf.spl file to the $SPLUNK_HOME/etc/deployment-apps/ directory on the deployment server.
  6. In a shell or command prompt, unpack the credentials package by running the following command:

tar xvf splunkclouduf.spl

  1. Navigate to the /bin subdirectory of the deployment server.
  2. Install the credentials package by running the following command:

splunk install app <full path to splunkclouduf.spl> -auth <username>:<password>

where <full path to splunkclouduf.spl> is the path to the directory where the splunkclouduf.spl file is located and <username>:<password> are the username and password of an existing admin account on the universal forwarder.

  1. Restart the deployment server by running the following command:

/splunk restart

Tags (2)
0 Karma
Get Updates on the Splunk Community!

New Splunk Observability innovations: Deeper visibility and smarter alerting to ...

You asked, we delivered. Splunk Observability Cloud has several new innovations giving you deeper visibility ...

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...