Hello guys, We are getting on one heavyforwarder this message in splunkd.log, we are using TCP-SSL inputs.conf : “11-14-2024 16:59:44.129 +0100 WARN  SSLCommon [53742 FwdDataReceiverThread] - Received fatal SSL3 alert. ssl_state='SSLv3 read client certificate A', alert_description='unknown CA'.”   How do you identify the sourceHost ? Is it blocking incoming data or just warning?   Maybe this can help? index=_* host=myhf1 source="/OPT/splunk/var/log/splunk/metrics.log" tcp_Kprocessed="0.000"   Thanks for your help. ... View more

Hello, could you tell me how to properly have dedicated server certificate for specific tcp-ssl in inputs.conf (Checkpoint) and have another dedicated server certificate for the hf in server.conf, both using different sslpassword setting? Both are from same secondary rootCA. Or should we keep single dedicated server certificate on heavyforwarder and only put dedicated Checkpoint certificate on appliance? Thanks.       ... View more

Hello, We have two clustered Splunk platforms. Several sources are sent to both platforms (directly to clustered indexers) as index app-idx1, then on 2nd platform we use different target index name using props.conf/transforms.conf to have application_idx2 For unknown reason few sources are failing to lastchanceindex.   props.conf [source::/path/to/app_json.log] TRANSFORMS-app-idx1 = set_idx1_index transforms.conf [set_idx1_index] SOURCE_KEY = _MetaData:Index REGEX = app-idx1 DEST_KEY = _MetaData:Index FORMAT = application_idx2   Thanks for your help.     ... View more

Hello, we have 2 Splunk platforms and we are using _TCP_ROUTING to forward logs. System logs from 1st platform indexers are currently logged on themself.   We want to also receive system logs from  indexers of the 1st platform on our 2nd platform however there is no default tcpout group on 1st platform indexers.   So should we create default outputs.conf on 1st platform indexers to continue indexing local system logs?   Thanks for your help.   ... View more