Splunk® Data Stream Processor

Install and administer the Data Stream Processor

On April 3, 2023, Splunk Data Stream Processor reached its end of sale, and will reach its end of life on February 28, 2025. If you are an existing DSP customer, please reach out to your account team for more information.

All DSP releases prior to DSP 1.4.0 use Gravity, a Kubernetes orchestrator, which has been announced end-of-life. We have replaced Gravity with an alternative component in DSP 1.4.0. Therefore, we will no longer provide support for versions of DSP prior to DSP 1.4.0 after July 1, 2023. We advise all of our customers to upgrade to DSP 1.4.0 in order to continue to receive full product support from Splunk.
This documentation does not apply to the most recent version of Splunk® Data Stream Processor. For documentation on the most recent version, go to the latest release.

Configure the Data Stream Processor to send data to a self-signed Splunk instance

The Splunk Data Stream Processor supports one-way SSL/TLS with the Splunk HEC endpoints. Use these settings if your Splunk HEC endpoints are secured via HTTPS (SSL/TLS). These settings apply globally to both Send to a Splunk Index (Default for Environment) and Send to a Splunk Index functions. Currently, there is no support for configuring these settings outside of setting or updating environment variables before you deploy your Kubernetes pods, and you cannot change these settings on a per-connection or per-function basis.

We currently have an "all-or-nothing" approach to sending data from DSP to an SSL-enabled Splunk Enterprise instance. This means that you must have all or none of your Splunk Enterprise HEC endpoints configured to use SSL. If the K8S_PIPELINES_DATA_SPLUNKD_SSL_VALIDATION_ENABLED setting is set to true, then all DSP HEC client functions use HTTPS and require a valid certificate from the server.

Enable server certificate validation and hostname validation

  1. Enable hostname verification. The DSP HEC client performs a server identity check to confirm that the client is connecting to the correct server and has not been redirected by a man-in-the-middle (MITM) attack. Defaults to false.
    ./set-config K8S_PIPELINES_DATA_SSL_HOSTNAME_VERIFICATION true
    
  2. (Optional) If you are using the Splunk Cloud Platform, contact Splunk Support for a Splunk Cloud DigiCert CA.
  3. (Optional) After receiving a Splunk Cloud DigiCert CA from Splunk Support or if you are using a CA cert that is not part of the Java JRE default trust store, set the following configuration value in your node.
    ./set-config K8S_PIPELINES_DATA_SPLUNKD_SSL_CERT_BASE64 [base64-encoded-CA] 
  4. Enable SSL validation. When enabled, the Send to a Splunk Index (Default for Environment) and Send to a Splunk Index functions connect to the Splunk Enterprise HEC endpoints via HTTPS and validate the server's SSL certificate. Defaults to true. Set this to true if the CA certificate you used to sign your Splunk server certificates is part of the Java JRE default trust store.
    ./set-config K8S_PIPELINES_DATA_SPLUNKD_SSL_VALIDATION_ENABLED true
    
  5. After setting the configurations, deploy your changes.
    ./deploy
    
  6. Restart all pipelines using the Send to a Splunk Index (Default for Environment) and Send to a Splunk Index functions for your changes to take effect.

Disable server certificate validation and hostname validation

  1. Disable hostname verification.
    ./set-config K8S_PIPELINES_DATA_SSL_HOSTNAME_VERIFICATION false
    
  2. Disable SSL validation. If true, the Send to a Splunk Index (Default for Environment) and Send to a Splunk Index functions connect to the Splunk Enterprise HEC endpoints via HTTPS and validate the server's SSL certificate. If false, the Send to a Splunk Index (Default for Environment) and Send to a Splunk Index functions still use HTTPS but do not validate the server's SSL certificate. Defaults to true.
    ./set-config K8S_PIPELINES_DATA_SPLUNKD_SSL_VALIDATION_ENABLED false
    
  3. After setting the configurations, deploy your changes.
    ./deploy
    
  4. Restart all pipelines using the Send to a Splunk Index (Default for Environment) and Send to a Splunk Index functions for your changes to take effect.
Last modified on 25 March, 2022
Secure the DSP cluster with SSL/TLS certificates   Change the admin password

This documentation applies to the following versions of Splunk® Data Stream Processor: 1.2.0, 1.2.1-patch02, 1.2.1, 1.2.2-patch02, 1.2.4, 1.2.5, 1.3.0, 1.3.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters