Splunk® Enterprise

Monitoring Splunk Enterprise

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Use Certificate Assist

Certificate Assist gives you insights into the status of the transport layer security (TLS) certificates that you have installed on your Splunk Enterprise instances.

When Certificate Assist loads, the page appears similar to the main Assist page, with indicator severity cards along the top of the page and an overview pane that shows the list of certificates. The name of the pane changes depending on which indicator card you click.

Splunk Assist collects indicators on certificates over a period of the previous 30 days. When you replace your certificates, you might see the old certificates in Certificate Assist for up to 30 days after you have renewed them.

Indicator status

The indicator tabs filter the list of certificates as follows:

  • All certificates.: Shows all nodes for which Splunk Assist has recorded certificate information.
  • Critical. Shows nodes whose certificates expire within 7 days of the current date, or that have already expired.
  • Warning. Shows nodes whose certificates expire within 30 days of the current date.
  • Conforming. Shows nodes whose certificates are valid for at least 30 days from the current date.

You can filter nodes by entering text into the "Filter nodes" text box within the overview pane.

To see more information about a node, click the > next to the node. It expands to provide a summary about the node certificate. You can then act on making updates as Certificate Assist advises.

Troubleshoot problems with Certificate Assist

If you encounter problems where Certificate Assist does not display all information about your certificates, reference the following table for common problems and their solutions.

Problem Solution
No certificate indicators appear in the Availability category
  • All indexers must run Splunk Enterprise version 9.0.0 or higher to work with Certificate Assist.
  • You must configure TLS between the forwarders and the indexers in your Splunk Enterprise deployment. Splunk Assist can't see the status of certificates on your Splunk Enterprise instance without this in place. See Configure Splunk indexing and forwarding to use TLS certificates for additional information and step-by-step instructions.
  • After you configure TLS on your indexers and forwarders, you can use the following Splunk search to verify that your indexers are indexing certificate data:

index=_internal sourcetype=splunkd "CertificateData"

Only some indexers and forwarders report certificate indicators
  • Confirm that you have installed certificates on all indexers and forwarders in your Splunk Enterprise deployment. See Configure Splunk indexing and forwarding to use TLS certificates for additional information and step-by-step instructions.
  • If you use shared certificates, a known issue with Certificate Assist currently prevents it from displaying the same certificate more than once.
No certificates appear in the Search tier Certificate Assist only monitors certificate status on indexers and forwarders. Splunk expects this behavior.
Certificate indicators appear to be stale Splunk Assist logs certificate data every 24 hours from the time that indexers start. If you want to see CertificateData logs, set the time range for your search to at least 24 hours.
Last modified on 02 November, 2022
PREVIOUS
Use App Assist
  NEXT
Use Config Assist

This documentation applies to the following versions of Splunk® Enterprise: 9.0.0, 9.0.1, 9.0.2


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters