Splunk® Enterprise

Monitoring Splunk Enterprise

Splunk Enterprise version 9.0 will no longer be supported as of June 14, 2024. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Use Certificate Assist

Certificate Assist gives you insights into the status of the transport layer security (TLS) certificates that you have installed on your Splunk Enterprise instances.

When Certificate Assist loads, the page appears similar to the main Assist page, with indicator severity cards along the top of the page, an overview pane that shows the list of certificates, and a detail pane that shows information on the certificate you select. The name of the pane changes depending on which indicator card you click.

Types of certificates that Splunk Assist collects

Splunk Assist collects indicators on the following types of certificates:

  • Indexers and forwarders: Certificates that secure the management port
  • Search heads: Certificates that secure the management and web server ports

Splunk Assist collects indicators on certificates on forwarders and indexers over a period of the previous 30 days. For search heads, Splunk Assist collects indicators on certificates in real time. When you replace your certificates, you might see the old certificates for forwarders and indexers in Certificate Assist for up to 30 days after you have renewed them.

Review and filter indicator statuses

The indicator tabs filter the list of certificates as follows:

  • All certificates.: Shows all nodes for which Splunk Assist has recorded certificate information.
  • Critical. Shows nodes whose certificates expire within 7 days of the current date, or that have already expired.
  • Warning. Shows nodes whose certificates expire within 30 days of the current date.
  • Conforming. Shows nodes whose certificates are valid for at least 30 days from the current date.

You can filter nodes by entering text into the "Filter nodes" text box within the overview pane. You can also filter by scope by selecting the All scopes drop-down list box next to the filter text field.

To see more information about a node, click the node. The detail pane updates to provide a summary about the node certificate. You can then act on making updates as Certificate Assist advises.

Troubleshoot problems with Certificate Assist

If you encounter problems where Certificate Assist does not display all information about your certificates, reference the following table for common problems and their solutions.

Problem Solution
No certificate indicators appear in the Availability category
  • All indexers must run Splunk Enterprise version 9.0.0 or higher to work with Certificate Assist.
  • You must configure TLS between the forwarders, indexers, and on the Splunk Web and management ports on search heads in your Splunk Enterprise deployment. Splunk Assist can't see the status of certificates on your Splunk Enterprise instances without this in place. See Configure Splunk indexing and forwarding to use TLS certificates for additional information and step-by-step instructions.
  • After you configure TLS on indexers, forwarders, and Splunk Web and management ports on search heads, you can use the following Splunk search to verify that your indexers are indexing certificate data:

index=_internal sourcetype=splunkd "CertificateData"

Only some indexers and forwarders report certificate indicators
  • Confirm that you have installed certificates on all indexers and forwarders in your Splunk Enterprise deployment. See Configure Splunk indexing and forwarding to use TLS certificates for additional information and step-by-step instructions.
  • If you use shared certificates, a known issue with Certificate Assist currently prevents it from displaying the same certificate more than once.
Certificate indicators appear to be stale Splunk Assist logs certificate data every 24 hours from the time that indexers and forwarders start. If you want to see CertificateData logs, set the time range for your search to at least 24 hours. For search heads, Splunk Assist collects information on Splunk Web and management port certificates in real time.
Last modified on 01 August, 2024
Use App Assist   Use Config Assist

This documentation applies to the following versions of Splunk® Enterprise: 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 9.4.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters