Splunk Search

Configure URL in saved search results

dmesler
Explorer

I have SSO working with apache responding to a "splunk" cname. But when splunk emails search results the URL is https://hostname:port/... How can I configure splunk to just use a "https://splunk" url so connections will pass through apache?

Tags (1)
0 Karma

njdove
New Member

I solved this problem in my Apache SSO setup - Splunk e-mail alerts contained http://hostname:8000/app/ rather than https://hostname/app/. I was unable to convince Splunk to change its URL, but I was successful in configuring Apache to redirect the broken URLs to the correct location.

First I configured Splunk to listen only on the loopback address in /usr/local/splunk/etc/system/local/web.conf:

server.socket_host = 127.0.0.1

Then I added a VirtualHost to Apache listening on the public IP, port 8000 to redirect to the correct URL. In RHEL/CENTOS' /etc/httpd/conf.d/vhost-splunk-redirect.conf:

Listen 192.168.0.1:8000
NameVirtualHost 192.168.0.1:8000

<VirtualHost 192.168.0.1:8000>
    RewriteEngine On
    RewriteRule .* https://hostname.com%{REQUEST_URI} [R,L]
</VirtualHost>

With this configuration Splunk alert URLs redirect to their equivalent, functional SSO/SSL URLs.

0 Karma

southeringtonp
Motivator

In alert_actions.conf:

hostname=splunk.yourdomain.com
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...