Smart AnSwerS #78

Hey there community and welcome to the 78th installment of Smart AnSwerS.

Things have been ramping up around Splunk HQ with conf2016 just around the corner! The Splunk education team is starting off strong with Splunk University beginning tomorrow and running through Monday, while the rest of the conference staff are working hard to make the final touches to ensure a smooth and awesome experience for all attendees. I’m looking forward to running into familiar faces and coming across new ones! I’ll be hanging out at the Splunk Answers booth at least half of the time during the conference, so if you happen to be exploring the source=*Pavillion, feel free to stop by to say hello. :) Safe travels everyone!

Check out this week’s featured Splunk Answers posts:

How to replicate a Search Head Cluster’s KV Store lookup data to an indexer?

earakam created a KV Store lookup in a search head cluster and set replicated=true in collections.conf, hoping this would replicate to the indexer cluster in the same environment to use as a lookup in Splunk Web on the indexers. Unfortunately, it wasn’t working. SplunkTrust member dwaddle described the expected behavior of replicate=true, educating the community on how knowledge bundle replication actually works in search head to indexer communication.

Splunk Enterprise Security: How to generate a list of correlation searches showing severity ratings, risk scores, and status (enabled/disabled)?

sheamus69 created a search to find details for correlation searches, but was having trouble pulling associated risk scores. smoir, technical writer for Splunk Enterprise Security documentation, explains that risk scores can be set within the search itself, or as an action as a result of the search matching and desired pattern. She notes that risk information can be pulled from the action.risk.param.* settings.

Trying to configure SSL in Splunk, why is my forwarder reporting “certificate verify failed”?

chawagon03 was trying to enable SSL in a test Splunk environment, but couldn’t get forwarders to communicate with indexers and was getting “certificate very failed” errors. However, after some self-troubleshooting, chawagon03 found the issue and shared the solution with the community, warning against using the same common name when creating the CSR files for the certificates. This answer resolved the post, making it visible in Answers search results which several other users that came across the same issue.

Thanks for reading!

Missed out on the first seventy-seven Smart AnSwerS blog posts? Check ‘em out here!

Posted by

Show All Tags
Show Less Tags