Splunk Configuration
Splunk's default configuration can cause data loss or indexing issues when using saf convert hdf2splunk.
In order to use hdf2splunk, you have to update your Splunk service in a few places.
- Update your Spunk Server to support the larger data requirements of HDF files
- Setup SSL so
hdf2splunkcan securely transmit your data
NOTE To run Splunk from a docker container references Splunk in Docker
limits.conf docs
[kv]
limit = 10000000
maxchars = 1000000props.conf docs
[HDF2Splunk]
SHOULD_LINEMERGE = false
EVENT_BREAKER_ENABLE = true
EVENT_BREAKER = ([\n]+)
TRUNCATE = 0If you have loaded HDF into Splunk without configuring EVENT_BREAKER, it will be unreadable from Heimdall.
To remove it, execute the query index="<YOUR INDEX> meta.subtype="header" | delete. Note that this is a destructive action, and will remove anything that is returned by this query.
These setup instructions have been tested on AWS AMI provided by Splunk running Amazon Linux 2.
Note: changes to web.conf are optional and are not required for hdf2splunk to be able to transmit data securely. The purpose of the modifications to the web.conf is to enable viewing of the Splunk GUI securely on the default port 8000. Configuration update to the server.conf serves the certificate on the Management Port 8089 and required for hdf2splunk to transmit your data securely.
Replace $YOUR_FQDN_HERE with FQDN for the Splunk Host
sudo yum update ca-certificates -y
sudo yum install https://cdn.amazonlinux.com/patch/ca-certificates-update-2021-09-30/ca-certificates-2021.2.50-72.amzn2.0.1.noarch.rpm -y
sudo wget -r --no-parent -A 'epel-release-*.rpm' https://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/
sudo rpm -Uvh dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/epel-release-*.rpm
sudo yum-config-manager --enable epel*
sudo amazon-linux-extras install epel -y
sudo yum install -y certbot
sudo yum update -y
sudo cd /etc/pki/tls/certs
sudo ./make-dummy-cert localhost.crt
sudo certbot -d $YOUR_FQDN_HERE --standalone certonly
sudo mkdir /opt/splunk/etc/auth/$YOUR_FQDN_HERE
sudo cd /etc/letsencrypt/live/$YOUR_FQDN_HERE/
sudo cp fullchain.pem privkey.pem /opt/splunk/etc/auth/$YOUR_FQDN_HERE/
sudo cat /etc/letsencrypt/live/$YOUR_FQDN_HERE/cert.pem /etc/letsencrypt/live/$YOUR_FQDN_HERE/privkey.pem /etc/letsencrypt/live/$YOUR_FQDN_HERE/fullchain.pem > /opt/splunk/etc/auth/$YOUR_FQDN_HERE/myCombinedServerCertificate.pem
sudo chown -R splunk:splunk /opt/splunk/etc/auth/$YOUR_FQDN_HEREweb.conf docs
[settings]
enableSplunkWebSSL = 1
privKeyPath = /opt/splunk/etc/auth/$YOUR_FQDN_HERE/privkey.pem
caCertPath = /opt/splunk/etc/auth/$YOUR_FQDN_HERE/fullchain.pemserver.conf docs
[general]
serverName = $YOUR_FQDN_HERE
[httpServer]
crossOriginSharingPolicy = *
crossOriginSharingHeaders = *
disabled = 0
[sslConfig]
sslVersions = tls1.2
sslVersionsForClient = tls1.2
cipherSuite = HIGH:!aNULL:!MD5:!3DES:!CAMELLIA:!AES128
useClientSSLCompression = false
allowSslCompression = false
serverCert = /opt/splunk/etc/auth/$YOUR_FQDN_HERE/myCombinedServerCertificate.pem
sslRootCAPath = /opt/splunk/etc/auth/$YOUR_FQDN_HERE/fullchain.pem
sendStrictTransportSecurityHeader = trueRestart Splunk
- Home
- How to create a release
- Splunk Configuration
- Supplement HDF Configuration
- Validation with Thresholds
- SAF CLI Delta Process
- Mapper Creation Guide for HDF Converters
- How to create a SAF CLI
- How to recommend development of a mapper
- Use unreleased version of a package from the Heimdall monorepo in the SAF CLI
- Troubleshooting