Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About triptraptresko
triptraptresko
Path Finder
Member since:
09-23-2021
2 weeks ago
Community Statistics
| Posts | 13 |
| Solutions | 1 |
| Karma Given | 10 |
| Karma Received | 5 |
| Member Since | 09-23-2021 |
Activity Feed
- Got Karma for KVStore does not start when running Splunk 9.4 ( WITH A SOLUTION ). 04-08-2025 07:26 AM
- Got Karma for KVStore does not start when running Splunk 9.4 ( WITH A SOLUTION ). 04-08-2025 07:08 AM
- Got Karma for KVStore does not start when running Splunk 9.4 ( WITH A SOLUTION ). 04-08-2025 06:32 AM
- Posted Re: KVStore does not start when running Splunk 9.4 ( WITH A SOLUTION ) on Deployment Architecture. 04-08-2025 06:29 AM
- Posted Re: KVstore unable to start after upgrade to Splunk Enterprise 9.4 on Splunk Enterprise. 04-08-2025 06:24 AM
- Posted KVStore does not start when running Splunk 9.4 ( WITH A SOLUTION ) on Deployment Architecture. 04-08-2025 06:19 AM
- Tagged KVStore does not start when running Splunk 9.4 ( WITH A SOLUTION ) on Deployment Architecture. 04-08-2025 06:19 AM
- Tagged KVStore does not start when running Splunk 9.4 ( WITH A SOLUTION ) on Deployment Architecture. 04-08-2025 06:19 AM
- Tagged KVStore does not start when running Splunk 9.4 ( WITH A SOLUTION ) on Deployment Architecture. 04-08-2025 06:19 AM
- Tagged KVStore does not start when running Splunk 9.4 ( WITH A SOLUTION ) on Deployment Architecture. 04-08-2025 06:19 AM
- Karma Re: "FormatMessage error" appears in indexed message for Windows security event logs - Splunk 6.1 and 6.2 for jijulukose. 02-08-2024 11:18 PM
- Got Karma for Centos 9 Stream: Systemd Service File for Splunkd Altered After Manual Start.. 11-23-2023 11:19 AM
- Posted Centos 9 Stream: Systemd Service File for Splunkd Altered After Manual Start. on Installation. 09-22-2023 01:30 AM
- Tagged Centos 9 Stream: Systemd Service File for Splunkd Altered After Manual Start. on Installation. 09-22-2023 01:30 AM
- Tagged Centos 9 Stream: Systemd Service File for Splunkd Altered After Manual Start. on Installation. 09-22-2023 01:30 AM
- Tagged Centos 9 Stream: Systemd Service File for Splunkd Altered After Manual Start. on Installation. 09-22-2023 01:30 AM
- Tagged Centos 9 Stream: Systemd Service File for Splunkd Altered After Manual Start. on Installation. 09-22-2023 01:30 AM
- Karma Re: Assets Exceeding Field Limits, Source: [merge] for hettervik. 04-11-2023 02:17 AM
- Karma Re: Assets Exceeding Field Limits, Source: [merge] for hettervik. 04-11-2023 02:17 AM
- Karma Re: Trouble with TLS for michael_bates_1. 03-28-2023 06:08 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 3 | |||
| 1 | |||
| 0 |
04-08-2025
06:29 AM
My kvstores were empty, but ideally one would try to search the kvstore in order to verify that it works. Another way to verify is to check the monitoring console > Search > KV Store: Instance. If you can see panels, the kvstore is working! However, if the page is just white, it is not working 😞
... View more
04-08-2025
06:24 AM
Had the very same issue. Are you using custom certificates? In that case, you might have had the same issue as me. Wrote about our the solution here: https://community.splunk.com/t5/Deployment-Architecture/KVStore-does-not-start-when-running-Splunk-9-4-WITH-A-SOLUTION/m-p/743791#M29350 Note that splunk themselves says that custom certificates are not supported, but we got it to work 😄
... View more
04-08-2025
06:19 AM
3 Karma
After completing the upgrade from Splunk Enterprise version 9.3.3 to v9.4 the KVstore will no longer start. Splunk has yet to do the KVstore upgrade to v7 as the KVstore cannot start. We were already on 4.2 wiredtiger. The problem we had, was our custom certificates did not have the proper extendedUsages set. When we signed the certificates with extendedKeyUsage = serverAuth, clientAuth and restarted Splunk, the kvstore started, upgraded automatically and is running. It even works on search head clusters. Note, the splunk documentation says that custom certificates are not working. But we've made it work Here is the particular doc: https://docs.splunk.com/Documentation/Splunk/9.4.1/Admin/MigrateKVstore#Check_your_deployment I am in the process of creating a supportcase with them. Yay! Here is how I figured out the issue: Let's start the troubleshooting. index=_internal log_level IN (warn, error) | chart count by component useother=false Saw a lot of errors in components 'mongoclient' and 'KVstorageProvider' Searching these components index=_internal log_level IN (warn, error) component IN (KVStorageProvider, MongoClient)
04-08-2025 14:55:03.784 +0200 ERROR KVStorageProvider [37886 KVStoreUpgradeStartupThread] - An error occurred during the last operation ('replSetGetStatus', domain: '15', code: '13053'): No suitable servers found (`serverSelectionTryOnce` set): [connection closed calling hello on '127.0.0.1:8191']
04-08-2025 14:55:04.370 +0200 WARN MongoClient [54380 KVStoreUpgradeStartupThread] - Disabling TLS hostname validation for localhost Not very useful log messages. However, we can search the mongod.log as well index=_internal source="/opt/splunk/var/log/splunk/mongod.log" On my search head cluster peers, they had a very specific error in the field attr.error.errmsg: (THIS will not show up on other splunk servers, but AS YOU WILL SEE, THIS IS THE ISSUE) SSL peer certificate validation failed: unsupported certificate purpose In this particular environment, we use custom certificates. And to check what usages was allowed with my certificates, i ran the following command: openssl x509 -in <path of my certificate> -noout -purpose Notice that SSL server is Yes, whereas SSL client is No. Meaning this certificate is not able to be used for client authentication. GOTCHA!!! So you need to create a new signing request, with an extendedKeyUsage extendedKeyUsage = serverAuth, clientAuth However, it is up to the signer to actually respect this request. So I would double check after the CSR has been signed, that it has the correct extended purpose. After pushing the new certificate to the server, and restarting Splunk, the kvstore automatically upgraded, and started after ~5 minutes. I verified using this command: /opt/splunk/bin/splunk show kvstore-status --verbose Notice the serverVersion and uptime. Good luck with the goddamn certificates. That was the solution for us
... View more
Labels
09-22-2023
01:30 AM
1 Karma
Summary: On a CentOS Stream 9 system, after installing Splunk in /opt/splunk and configuring it to start on boot with systemd, I've noticed unusual behavior. Using manual Splunk commands (/opt/splunk/bin/splunk [start | stop | restart]) alters the Splunkd.service file in /etc/systemd/system/, creating a timestamped backup. This change prevents Splunk from starting using systemctl commands and consequently on boot, defeating the purpose of the systemd setup. Using chattr to make the service file immutable is a current workaround. This behavior seems specific to CentOS Stream 9. How to recreate issue: On a centos stream 9 machine, installed splunk under /opt/splunk, and run splunk as user 'splunk'. Enable boot-start with systemd-managed 1, after stopping Splunk. After enabling boot-start, a file will be created at /etc/systemd/system/Splunkd.service. Starting and stopping splunk using systemctl works fine, and normal. However, if you run sudo /opt/splunk/bin/splunk [start | stop | restart], splunk itself will change the/etc/systemd/system/Splunkd.service, and create a backup with a timestamp, e.g. Splunkd.service_2023_09_21_06_49_05. When trying to start with systemctl again: e.g. sudo systemctl start Splunkd Failed to start Splunkd.service: Unit Splunkd.service failed to load properly, please adjust/correct and reload service manager: Device or resource busy See system logs and 'systemctl status Splunkd.service' for details. This will lead to Splunk not starting after reboot, which is the whole point of enabling systemd. This error message shows up, because the Splunkd.service file has been altered. To get systemctl working again, i run sudo systemctl daemon-reload But as soon as one tries to do a manual start|stop|restart command, the same issue arises. When diffing the new service file and old service file: diff Splunkd.service Splunkd.service_2023_09_21_06_49_05 26c26 < MemoryLimit=3723374592 --- > MemoryLimit=3723378688 memoryLimit is the only value that is changed for each subsequent 'backup' of the service file. It just switches between these two values Mr chat.gpt suggested to make the service file non-immutable with sudo chattr +i /etc/systemd/system/Splunkd.service After this change, whenever doing manual start | stop | restart, you get a WARNING message: But it won't **bleep** up your Service file, and hence splunk will start after reboot. So it is Splunk itself who is changing the Service file. However, this issue was discovered in Centos Stream 9, and cannot be replicated in earlier versions. Anybody know what may have caused this weird error?
... View more
Labels
- Labels:
-
Linux
03-28-2023
06:02 AM
TLDR: I was missing 1. outputs.conf on the sender (client) useSSL = true Thank you to michael_bates_1 , in thread https://community.splunk.com/t5/Getting-Data-In/Why-am-I-having-trouble-with-TLS/m-p/634513/highlight/false#M108573 After following the documentation on how to enable ssl between forwarders and indexers, i got the error ERROR TcpInputProc - Error encountered for connection from src=10.1.1.34:50772. error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol In the documentation: https://docs.splunk.com/Documentation/Splunk/9.0.1/Security/ConfigureSplunkforwardingtousesignedcertificates#Configuration_file_examples_for_configuring_TLS_certificates_on_receiving_indexers , it specifies [SSL] requireClientCert = true Which if you drop, will affect your outputs.conf -> useSSL. It says if requireClientCert is defined, then useSSL will be true. In my case, I mindlessly thought you could set requrieClientCert=false... https://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf #----Secure Sockets Layer (SSL) Settings----
# To set up SSL on the forwarder, set the following setting/value pairs.
# If you want to use SSL for authentication, add a stanza for each receiver
# that must be certified.
useSSL = <true|false|legacy>
* Whether or not the forwarder uses SSL to connect to the receiver, or relies
on the 'clientCert' setting to be active for SSL connections.
* You do not need to set 'clientCert' if 'requireClientCert' is set to
"false" on the receiver.
* A value of "true" means the forwarder uses SSL to connect to the receiver.
* A value of "false" means the forwarder does not use SSL to connect to the
receiver.
* The special value "legacy" means the forwarder uses the 'clientCert' property to
determine whether or not to use SSL to connect.
* Default: legacy
... View more
03-28-2023
06:00 AM
TLDR: I was missing 1. outputs.conf on the sender (client) useSSL = true After following the documentation on how to enable ssl between forwarders and indexers, i got the error ERROR TcpInputProc - Error encountered for connection from src=10.1.1.34:50772. error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol In the documentation: https://docs.splunk.com/Documentation/Splunk/9.0.1/Security/ConfigureSplunkforwardingtousesignedcertificates#Configuration_file_examples_for_configuring_TLS_certificates_on_receiving_indexers , it specifies [SSL] requireClientCert = true Which if you drop, will affect your outputs.conf -> useSSL. It says if requireClientCert is defined, then useSSL will be true. In my case, I mindlessly thought you could set requrieClientCert=false... https://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf #----Secure Sockets Layer (SSL) Settings----
# To set up SSL on the forwarder, set the following setting/value pairs.
# If you want to use SSL for authentication, add a stanza for each receiver
# that must be certified.
useSSL = <true|false|legacy>
* Whether or not the forwarder uses SSL to connect to the receiver, or relies
on the 'clientCert' setting to be active for SSL connections.
* You do not need to set 'clientCert' if 'requireClientCert' is set to
"false" on the receiver.
* A value of "true" means the forwarder uses SSL to connect to the receiver.
* A value of "false" means the forwarder does not use SSL to connect to the
receiver.
* The special value "legacy" means the forwarder uses the 'clientCert' property to
determine whether or not to use SSL to connect.
* Default: legacy
... View more
03-08-2023
03:28 AM
Hey! I had the same issue. If you look in index=_internal log_level IN ("error", "warn") splunk_app_addon-builder You'll find /opt/splunk/etc/apps/splunk_app_addon-builder/appserver/controllers/app_validation.py cannot be executed by Python: cannot import name 'soft_unicode' from 'markupsafe' (/opt/splunk/lib/python3.7/site-packages/markupsafe/__init__.py) Seems the python package markupsafe removed 'soft_unicode' , starting from versions later than 2.0.0. Solution is to use pip to downgrade pip3 install --target=/opt/splunk/lib/python3.7/site-packages markupsafe==2.0.0 --force --upgrade Then restart splunk. As I'm sure you're aware, this is absolutely a hack... Happy app-building 🙂
... View more
09-16-2022
05:20 AM
I actually had to delete the registry keys, in order to install UF again.
... View more
09-16-2022
05:18 AM
Thank you @Richfez, worked flawlessly!
... View more
09-09-2022
01:37 AM
tried version 9.0.1. No success, RequireClientCert = true still crashes GUI, and several issues. Without requireclientcert, upgrade readiness app still showing failed for "SSL Peer Config Check" and "MongoDB ...". I am missing something but don't know what. At last, tried using a self-signed certificate with X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication, Code Signing, E-mail Protection. Confirmed that it was a multipurpose certificate (both client and server) as well, but to no avail... GUI Error: ERROR [631af018aa7ff2d0185690] __init__:591-SSLerrorcommunicatingwithsplunkd, error="[SSL:TLSV1_ALERT_UNKNOWN_CA] tlsv1alertunknownca (_ssl.c:1106)", path=/services/authentication/users/splunkadmin
GUI Error as reported from backend python script: 2022-09-09 07:49:44,679 ERROR [631af018aa7ff2d0185690] error:335 - Traceback (most recent call last):
File "/opt/splunk/lib/python3.7/site-packages/splunk/rest/__init__.py", line 583, in simpleRequest
serverResponse, serverContent = h.request(uri, method, headers=headers, body=payload)
File "/opt/splunk/lib/python3.7/site-packages/httplib2/__init__.py", line 1968, in request
cachekey,
File "/opt/splunk/lib/python3.7/site-packages/httplib2/__init__.py", line 1626, in _request
conn, request_uri, method, body, headers
File "/opt/splunk/lib/python3.7/site-packages/httplib2/__init__.py", line 1532, in _conn_request
conn.connect()
File "/opt/splunk/lib/python3.7/site-packages/httplib2/__init__.py", line 1313, in connect
self.sock = self._context.wrap_socket(sock, server_hostname=self.host)
File "/opt/splunk/lib/python3.7/ssl.py", line 428, in wrap_socket
session=session
File "/opt/splunk/lib/python3.7/ssl.py", line 878, in _create
self.do_handshake()
File "/opt/splunk/lib/python3.7/ssl.py", line 1147, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:1106)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/opt/splunk/lib/python3.7/site-packages/cherrypy/_cprequest.py", line 628, in respond
self._do_respond(path_info)
File "/opt/splunk/lib/python3.7/site-packages/cherrypy/_cprequest.py", line 687, in _do_respond
response.body = self.handler()
File "/opt/splunk/lib/python3.7/site-packages/cherrypy/lib/encoding.py", line 219, in __call__
self.body = self.oldhandler(*args, **kwargs)
File "/opt/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/lib/htmlinjectiontoolfactory.py", line 75, in wrapper
resp = handler(*args, **kwargs)
File "/opt/splunk/lib/python3.7/site-packages/cherrypy/_cpdispatch.py", line 54, in __call__
return self.callable(*self.args, **self.kwargs)
File "/opt/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/lib/routes.py", line 383, in default
return route.target(self, **kw)
File "</opt/splunk/lib/python3.7/site-packages/decorator.py:decorator-gen-1208>", line 2, in render
File "/opt/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/lib/decorators.py", line 40, in rundecs
return fn(*a, **kw)
File "</opt/splunk/lib/python3.7/site-packages/decorator.py:decorator-gen-1206>", line 2, in render
File "/opt/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/lib/decorators.py", line 118, in check
return fn(self, *a, **kw)
File "</opt/splunk/lib/python3.7/site-packages/decorator.py:decorator-gen-1205>", line 2, in render
File "/opt/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/lib/decorators.py", line 166, in validate_ip
return fn(self, *a, **kw)
File "</opt/splunk/lib/python3.7/site-packages/decorator.py:decorator-gen-1204>", line 2, in render
File "/opt/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/lib/decorators.py", line 244, in preform_sso_check
update_session_user(sessionKey, remote_user)
File "/opt/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/lib/decorators.py", line 188, in update_session_user
en = splunk.entity.getEntity('authentication/users', user, sessionKey=sessionKey)
File "/opt/splunk/lib/python3.7/site-packages/splunk/entity.py", line 277, in getEntity
serverResponse, serverContent = rest.simpleRequest(uri, getargs=kwargs, sessionKey=sessionKey, raiseAllErrors=True)
File "/opt/splunk/lib/python3.7/site-packages/splunk/rest/__init__.py", line 592, in simpleRequest
raise splunk.SplunkdConnectionException(msg)
splunk.SplunkdConnectionException: Splunkd daemon is not responding: ('SSL error communicating with splunkd, error="[SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:1106)", path=/services/authentication/users/splunkadmin',) Other issues: 09-09-2022 08:00:06.093 +0000 WARN SSLCommon [10232 HttpDedicatedIoThread-7] - Received fatal SSL3 alert. ssl_state='error', alert_description='handshake failure'.
09-09-2022 08:00:06.093 +0000 WARN HttpListener [10232 HttpDedicatedIoThread-7] - Socket error from 127.0.0.1:36446 while idling: error:140890C7:SSL routines:ssl3_get_client_certificate:peer did not return a certificate
... View more
09-07-2022
11:44 PM
1 Karma
Am troubleshooting the issue myself. My current suspicion is it checks for mutual TLS (mTLS) between Splunk instances, from title: Search peer SSL config check. Aka Splunk-2-Splunk mutual authentication. I have created a certificate from lets-encrypt with multipurpose. I.E be able to be used as server and client.You can check your certificate with openssl x509 -noout -purpose -in <certificate> Then tried to deploy current server.conf to enable S2S authentication and encryption: [sslConfig]
sslRootCAPath = $SPLUNK_HOME/etc/apps/<REDACTED>
serverCert = $SPLUNK_HOME/etc/apps/<REDACTED>
sslAltNameToCheck = <the lets'encrypt certificate is a wildcard certificate>
#The sslVerifyServerCert setting controls the TLS certificate requirement feature.
# value of "true", the Splunk platform instance requires that any Splunk platform instance to which it connects provides a valid TLS certificate before that connection can complete
# https://docs.splunk.com/Documentation/Splunk/9.0.1/Security/EnableTLSCertHostnameValidation
sslVerifyServerCert = true
# needed in S2S verification apparently... https://docs.splunk.com/Documentation/Splunk/9.0.1/Security/ConfigTLSCertsS2S. In this sense, client is not a forwarder... but rather another Splunk instance
#requireClientCert = true
requireClientCert = false
#sslVerifyServerName only valid in splunk version 9
#sslVerifyServerName = true
#test
cliVerifyServerName = false
# https://docs.splunk.com/Documentation/Splunk/9.0.1/Admin/Serverconf
# https://community.splunk.com/t5/Deployment-Architecture/When-requireClientCert-true-is-set-in-server-conf-unable-to-run/m-p/251588
# https://medium.com/@vikashtalanki/securing-splunk-enterprise-with-ssl-eb2fb568c90e
[httpServerListener:127.0.0.1:8090]
ssl=false This still fails the check. Two leads: according to docs, requireClientCert = true is required for S2S. But when enabled, splunkweb fails and won't start with my current configuration. When checking logs, error message received is "unknown CA". ERROR [6318a141567ff86c0f4210] __init__:522 - Socket error communicating with splunkd (error=[SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:1106)), path = /services/authentication/users/splunkadmin Very weird. This makes me unable to actually run the test, so don't know if this is the answer. I have a lead to follow from here: Try these configurations on 9.0.1 If you have any other suggestions, please let me know, and I will try them 🙂
... View more
08-12-2022
02:37 AM
Trying to set graph colors with fieldColors in options, in Dashboard Studio.
Tried to set them in both dataSources and Visualizations to no avail. What am i doing wrong?
Tested on Splunk Cloud Version: 8.2.2203.2.
Whole code for dashboard below
{
"dataSources": {
"ds_sourcetype": {
"type": "ds.search",
"options": {
"query": "index=_internal _sourcetype IN ( splunk_web_access, splunkd_access)\n| timechart count by _sourcetype",
"fieldColors": {
"splunk_web_access": "#FF0000",
"splunkd_access": "#0000FF"
}
},
"name": "Search_1"
}
},
"visualizations": {
"viz_sourcetype": {
"type": "splunk.line",
"options": {
"fieldColors": {
"splunk_web_access": "#FF0000",
"splunkd_access": "#0000FF"
},
"yAxisAbbreviation": "auto",
"y2AxisAbbreviation": "auto",
"showRoundedY2AxisLabels": false,
"legendTruncation": "ellipsisMiddle",
"showY2MajorGridLines": true,
"xAxisLabelRotation": 0,
"xAxisTitleVisibility": "show",
"yAxisTitleVisibility": "show",
"y2AxisTitleVisibility": "show",
"yAxisScale": "linear",
"showOverlayY2Axis": false,
"nullValueDisplay": "gaps",
"dataValuesDisplay": "off",
"showSplitSeries": false,
"showIndependentYRanges": false,
"legendMode": "standard",
"legendDisplay": "right",
"lineWidth": 2,
"backgroundColor": "#ffffff"
},
"dataSources": {
"primary": "ds_sourcetype"
}
}
},
"inputs": {
"input_global_trp": {
"type": "input.timerange",
"options": {
"token": "global_time",
"defaultValue": "-24h@h,now"
},
"title": "Global Time Range"
}
},
"layout": {
"type": "grid",
"options": {},
"structure": [
{
"item": "viz_sourcetype",
"type": "block",
"position": {
"x": 0,
"y": 0,
"w": 1200,
"h": 400
}
}
],
"globalInputs": [
"input_global_trp"
]
},
"title": "dashboard_studio_test",
"defaults": {
"dataSources": {
"ds.search": {
"options": {
"queryParameters": {
"latest": "$global_time.latest$",
"earliest": "$global_time.earliest$"
}
}
}
}
}
}
... View more
Labels
- Labels:
-
chart
-
Dashboard Studio
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
2 weeks ago
|
Karma given to
