Splunk® Enterprise

Monitoring Splunk Enterprise

Splunk announces the end-of-life for Splunk Assist

On August 8, 2024, Splunk announced that it is ending its support of the Splunk Assist service. The service lets users of Splunk Enterprise gain insight into their deployments using Splunk Cloud Platform technologies.

This end of life announcement for Splunk Assist does not affect users of Splunk Cloud Platform in any way. Splunk Cloud Platform remains a fully-supported product with no plans to curtail or end its support. This is specifically for the Splunk Assist service which uses Splunk Cloud Platform to provide monitoring insights for Splunk Enterprise users who have activated the service.

As of September 10, 2024, Splunk has reached end-of-sale and ended activations for the service. This means you can no longer activate Splunk Assist. Splunk will officially sunset the service on January 30, 2025.

Why is Splunk ending support for Splunk Assist?

Splunk routinely examines its product offerings to ensure that those offerings provide an optimal experience for its customers, whether they use the Splunk platform on-premises or through its cloud subscriptions. A thorough review determined that Splunk could use the resources that it dedicated to Splunk Assist on further development of Monitoring Console to offer similar functionality without the need for an internet connection.

What does "end of sale" mean for Splunk Assist?

End of sale, which is the ending of activations, means that Splunk will no longer accept new activations to use the service in Splunk Enterprise.

If you activated Splunk Assist prior to this date, you can continue to use the Splunk Cloud Platform-powered insights to gain knowledge into your Splunk Enterprise environment until Splunk Assist reaches its end-of-life date. The service will continue to function normally until the end-of-life date, and if you experience problems using the service, you can continue to contact Splunk Support for assistance.

Currently, the end of sale date for Splunk Assist is September 10, 2024.

What does "end of life" mean for Splunk Assist?

End of life for Splunk Assist means that the service will stop functioning, and you can no longer use the service to gain monitoring insights into your Splunk Enterprise deployment.

The sunset of Splunk Assist does not affect your Splunk Enterprise deployment in any way beyond Splunk Assist no longer functioning. You do not have to do anything to your Splunk Enterprise deployment in anticipation for the sunsetting of Splunk Assist. The service will stop on its own on the end-of-life date.

Currently, the end-of-life date for Splunk Assist is January 30, 2025.

I used Splunk Assist in my Splunk Enterprise environment. What alternatives do I have to get that information?

<!—The following PDF includes information about alternative methods for obtaining information that is similar to what Splunk Assist provides: Splunk Assist alternatives.—>

If you used Splunk Assist to monitor your Splunk Enterprise deployment, consider the following alternatives for the various Splunk Assist components, as described in the following table:

Splunk Assist Component Alternative
App Assist - monitoring of installed Splunk apps Alternatives to using App Assist
Certificate Assist - monitoring of certificates on Universal Forwarders Alternatives to using Certificate Assist
Config Assist - monitoring of Splunk Enterprise configurations Alternatives to using Config Assist

Alternatives to using App Assist

You can use the Manage Apps page in Splunk Web to view a list of installed apps with their app versions. If the instance has access to the Internet, it can check Splunkbase for updates. If an update exists for an app, the Manage Apps page displays an update link for each app that has an available updated version. For more information on managing apps, see Managing app and add-on properties.

Alternatively, you can use the following Splunk search to compile a list of apps and app versions that are present across a deployment. App Assist uses this specific search for its App Search indicator. The table it generates shows the apps, app versions, and locations of where the apps are installed.

| rest /services/apps/local splunk_server=* | where disabled=0 and version!="" Unset | eval app_id=title, app_version=version, app_name=label | join splunk_server [rest services/server/info splunk_server=* | where NOT (like (server_roles, "%shc_deployer") or like (server_roles, "%shc_member") or (like (server_roles, "%search_peer") and (like (server_roles, "%cluster_peer") or like (server_roles, "%cluster_slave"))))] | fields app_id,app_name,app_version,label,splunk_server,server_roles | sort app_id

Alternatives to using Certificate Assist

You can use the following Splunk search to get a list of the certificate data for your deployment. Certificate Assist uses this specific search for its TLS Certificate Expiration indicator.

index=_internal CertificateData | stats latest(_raw) by _time nodeType,subject,notValidBefore,notValidAfter,issuer,hostname,serial,sha256_fingerprint | fields nodeType,subject,notValidBefore,notValidAfter,issuer,hostname,serial,sha256_fingerprint | sort -_time | dedup hostname,sha256_fingerprint

When you run the search, it generates several fields for each cerificate it finds. It does a de-duplication of all certificates based on the hostname and the SHA-256 fingerprint for the certificate.

The important field that the search generates is the notValidAfter field. Compare this date field to the current date. If the notValidAfter field for a certificate is within one week or is in the past, this is a Critical status for the certificate. If it is within a month, then it is a Warning status for the certificate.

Alternatives to using Config Assist

If you are a Splunk administrator, you can view, validate, and edit configuration files in the $SPLUNK_HOME/etc/system/local directory.

Config Assist indicators take their names in part from the configuration file, stanza header, and setting name that they reference. See the following table for examples.

Name .conf file Stanza Setting Name
assist-config.web.settings.sslVersions web.conf [settings] sslVersions
assist-config.authentication.splunk_auth.minPasswordLowercase authentication.conf [splunk_auth] minPasswordLowercase

Each indicator determines whether or not the value for the setting that its name references matches the recommended, or conforming, value for that setting in the configuration file. If the setting value does not match the recommended value, then the indicator produces either a Warning or Critical status depending on how the indicator is set up.

Config Assist uses the properties REST API endpoint to confirm recommended setting values for indicators. You can also view and make changes to configuration settings by running the following command from a command line:

curl -u <splunk user>:<splunk password> https://localhost:8089/services/properties/{conf file}/{stanza}/{setting name}

For more information about the properties REST API endpoint, see properties/{file}/{stanza}/{key}.

The following table lists the indicators that come with Config Assist. It lists the indicator name, what it checks for in your Splunk Enterprise configuration, the recommended value for the indicator, and the severity status that it generates if the current value is outside of the recommended value.

Name Description / Action Conforming Value Severity Status
assist-config.authentication.splunk_auth.forceWeakPasswordChange Whether or not Splunk platform instances have been configured to force users to change weak passwords. Force users to change weak passwords to increase security. true critical
assist-config.authentication.splunk_auth.minPasswordDigit The number of digits in a user password. >=1 warning
assist-config.authentication.splunk_auth.minPasswordLowercase The number of lowercase characters in a user password. >=1 warning
assist-config.authentication.splunk_auth.minPasswordSpecial The number of special characters in a user password. >=1 warning
assist-config.authentication.splunk_auth.minPasswordUppercase The number of uppercase characters in a user password. >=1 warning
assist-config.authentication.splunk_auth.verboseLoginFailMsg Whether or not verbose login messages are active on an instance. Verbose login messages can reveal information that is useful for attackers. false warning
assist-config.inputs.splunktcp-ssl.disabled Whether or not Splunk Enterprise uses the TLS/SSL connection type over the specified port.

Install and configure TLS certificates between forwarders and indexers for increased security levels. Confirm that the 'disabled' setting for each [splunktcp-ssl] network input stanza is off.

0
warning
assist-config.inputs.SSL.serverCert The location of the server certificate on the Splunk platform instance. This is the certificate that the machine uses to support inbound connections over TLS/SSL. You can specify either the absolute path to the certificate, such as /opt/splunk/etc/auth/mycerts/myServerCert.pem, or a relative path, such as etc/auth/mycerts/myServerCert.pem. The instance uses the Splunk platform instance installation directory. Not empty warning
assist-config.restmap.global.allowGetAuth The number of instances that are configured to allow credentials within HTTP GET arguments. Allowing username/password in HTTP GET arguments increases the risk of a credential leak. To increase security levels, give this setting a value of "false". false critical
assist-config.restmap.global.requireAuthentication Whether or not Splunk platform instances have been configured to enable the 'authentication' REST endpoint. Enable the authentication REST endpoint to prevent unauthorized access to the Splunk platform instance. true critical
assist-config.server.general.legacyCiphers The state of legacy cipher configurations on Splunk platform instances. Enable the use of strong crypto algorithms for encrypting and decrypting configuration.

Confirm that the Splunk platform instance runs a version of software at or above 7.2, which supports the v2 configuration.

disabled warning
assist-config.server.kvstore.sslVerifyServerCert Evaluates the state of TLS certificate requirements for App Key Value Store. Enable TLS certificate requirements for App Key Value Store to increase security levels. Disabling TLS certificate requirements can increase the compromise risk of the Splunk platform instance.

Update the setting to match the recommendation. Configure the proper certificates on the Splunk platform instance and enable the 'sslVerifyServerCert' setting in the server.conf configuration file.

true critical
assist-config.server.kvstore.sslVerifyServerName Evaluates the state of TLS certificate host name validation for App Key Value Store. Enable TLS certificate host name validation for App Key Value Store to increase security levels. Disabling TLS host name validation can increase the compromise risk of the Splunk platform instance.

Update the setting to match the recommendation. Configure the proper certificates on the Splunk platform instance and enable the 'sslVerifyServerCert' and 'sslVerifyServerName' settings in the server.conf configuration file.

true warning
assist-config.server.node_auth.signatureVersion This indicator monitors the state of authentication signature version configurations on Splunk platform instances. Enable the use of strong cryptography algorithms for authentication between instances.

A value of "v2" means that instances that do not support version v2, such as those that run versions of Splunk Enterprise that are lower than 7.2, can't communicate with this instance.
v2 critical
assist-config.server.pythonSslClientConfig.sslVerifyServerCert This indicator evaluates the state of TLS certificate requirements for Python connections. Enable TLS certificate verification requirements for Python to increase security levels. Not requiring TLS certificates can increase the compromise risk of the Splunk platform instance. true critical
assist-config.server.pythonSslClientConfig.sslVerifyServerName This indicator evaluates the state of TLS certificate host name validation for Python connections. Enable TLS certificate host name validation for Python to increase security levels. Leaving TLS certificate host name validation disabled can increase the compromise risk of the Splunk platform instance.

Update the setting to match the recommendation. Configure the proper certificates on the Splunk platform instance and enable the 'PYTHONHTTPSVERIFY' setting in splunk-launch.conf, and the 'sslVerifyServerCert' and 'sslVerifyServerName' settings in the server.conf configuration file.
true warning
assist-config.server.sslConfig.cipherSuite This indicator evaluates the status of security ciphers configured on your Splunk platform instances. Stronger ciphers increase security levels. ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES128-SHA256 warning
assist-config.server.sslConfig.enableSplunkSSL This indicator evaluates the TLS configurations on your Splunk platform instances. Enable TLS for Splunk platform management and App Key Value Store services for increased security. Disabling TLS increases the compromise risk of the Splunk platform instance. true critical
assist-config.server.sslConfig.sslRootCAPath This indicator evaluates whether a root certificate or certificate chain has been configured on your Splunk platform instances. If you do not configure this setting, the Splunk platform uses the 'caCertFile' setting, which is deprecated and references an insecure certificate that Splunk ships with the software. Using the default certificates can increase the compromise risk of the Splunk platform instance.

Configure the correct location of the server certificate.

Not empty warning
assist-config.server.sslConfig.sslVerifyServerCert This indicator evaluates the state of TLS certificate requirements on your Splunk platform instances. Enable TLS certificate requirements for Splunk management and App Key Value Store services to increase security of communications between those services. Failure to enable certificate requirements can increase the compromise risk of the Splunk platform instance. true critical
assist-config.server.sslConfig.sslVerifyServerName This indicator evaluates the state of TLS certificate host name validation on your Splunk platform instances. Use the 'sslVerifyServerName' setting to enable certificate host name validation and ensure that only instances with correct certificate hostnames connect to each other. Disabling TLS host name validation can increase the compromise risk of the Splunk platform instance. true warning
assist-config.server.sslConfig.sslVersions This indicator evaluates the state of cipher configurations on your Splunk platform instances. The latest version of TLS mitigates known security vulnerabilities. tis1.2 critical
assist-config.web.settings.cipherSuite This indicator monitors the state of cipher suites for which Splunk platform instances have been configured. Stronger ciphers increase security levels. ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 warning
assist-config.web.settings.enable_insecure_login This indicator monitors whether or not Splunk platform instances have been configured for insecure user logins. Disable insecure user login that uses a REST endpoint that is based on the HTTP GET method. false critical
assist-config.web.settings.enableSplunkWebSSL This indicator assesses whether or not Splunk platform instances have been configured to use TLS for Splunk Web. Enable TLS for the Splunk Web service to increase security levels. true critical
assist-config.web.settings.sslVersions This indicator monitors the configuration of TLS versions on each Splunk platform instance. The latest version of TLS mitigates known security vulnerabilities. tls1.2 critical

What if I have further questions?

You can continue to contact Splunk Support for assistance with using Splunk Assist until the end-of-life date.

After the end-of-sale date, support for Splunk Assist is limited in nature. This means that no new development or bug fixes will occur.

Until the end-of-life date, you can also contact your Sales representative. They can answer additional questions that you might have.

Last modified on 11 September, 2024
About Splunk Assist   Configure your Splunk Enterprise deployment to use Splunk Assist

This documentation applies to the following versions of Splunk® Enterprise: 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.3.0, 9.3.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters