Skip to content

Splunk Configuration

George M. Dias edited this page Apr 18, 2023 · 14 revisions

Splunk's default configuration can cause data loss or indexing issues when using saf convert hdf2splunk.

In order to use hdf2splunk, you have to update your Splunk service in a few places.

  1. Update your Spunk Server to support the larger data requirements of HDF files
  2. Setup SSL so hdf2splunk can securely transmit your data

NOTE To run Splunk from a docker container references Splunk in Docker

1. Splunk Server Servies

limits.conf docs

limit = 10000000
maxchars = 1000000

props.conf docs



If you have loaded HDF into Splunk without configuring EVENT_BREAKER, it will be unreadable from Heimdall.

To remove it, execute the query index="<YOUR INDEX> meta.subtype="header" | delete. Note that this is a destructive action, and will remove anything that is returned by this query.

2. Splunk Server ssl Setup

These setup instructions have been tested on AWS AMI provided by Splunk running Amazon Linux 2. Note: changes to web.conf are optional and are not required for hdf2splunk to be able to transmit data securely. The purpose of the modifications to the web.conf is to enable viewing of the Splunk GUI securely on the default port 8000. Configuration update to the server.conf serves the certificate on the Management Port 8089 and required for hdf2splunk to transmit your data securely.

Replace $YOUR_FQDN_HERE with FQDN for the Splunk Host

sudo yum update ca-certificates -y
sudo yum install -y
sudo wget -r --no-parent -A 'epel-release-*.rpm'
sudo rpm -Uvh*.rpm
sudo yum-config-manager --enable epel*
sudo amazon-linux-extras install epel -y
sudo yum install -y certbot 
sudo yum update -y
sudo cd /etc/pki/tls/certs
sudo ./make-dummy-cert localhost.crt
sudo certbot -d $YOUR_FQDN_HERE --standalone  certonly
sudo mkdir /opt/splunk/etc/auth/$YOUR_FQDN_HERE
sudo cd /etc/letsencrypt/live/$YOUR_FQDN_HERE/
sudo cp fullchain.pem privkey.pem /opt/splunk/etc/auth/$YOUR_FQDN_HERE/
sudo cat /etc/letsencrypt/live/$YOUR_FQDN_HERE/cert.pem /etc/letsencrypt/live/$YOUR_FQDN_HERE/privkey.pem /etc/letsencrypt/live/$YOUR_FQDN_HERE/fullchain.pem > /opt/splunk/etc/auth/$YOUR_FQDN_HERE/myCombinedServerCertificate.pem
sudo chown -R splunk:splunk /opt/splunk/etc/auth/$YOUR_FQDN_HERE

web.conf docs

enableSplunkWebSSL = 1
privKeyPath = /opt/splunk/etc/auth/$YOUR_FQDN_HERE/privkey.pem
caCertPath = /opt/splunk/etc/auth/$YOUR_FQDN_HERE/fullchain.pem

server.conf docs

serverName = $YOUR_FQDN_HERE

crossOriginSharingPolicy = *
crossOriginSharingHeaders = *
disabled = 0

sslVersions = tls1.2
sslVersionsForClient = tls1.2
cipherSuite = HIGH:!aNULL:!MD5:!3DES:!CAMELLIA:!AES128
useClientSSLCompression = false
allowSslCompression = false
serverCert = /opt/splunk/etc/auth/$YOUR_FQDN_HERE/myCombinedServerCertificate.pem
sslRootCAPath = /opt/splunk/etc/auth/$YOUR_FQDN_HERE/fullchain.pem
sendStrictTransportSecurityHeader = true

Restart Splunk

Clone this wiki locally