Deployment Architecture

Why can't I get the deployer to push apps to search head cluster members after a new Splunk installation?


Having this same issue now on a brand new Splunk setup (7.2.2). Search head cluster is (3), and (1) deployer. I got everything dialed in, but this command keeps generating the same message. I've tried against the captain, and not a captain — same result.

Running command on the Deployer:

Splunk apply shcluster-bundle -target https://SHCaptainName:8089 -auth admin:secretkey


Error while deploying apps to first member: Error while fetching apps baseline on

target=https://SHCaptainName:8089: Non-200/201 status_code=401; {"messages":[{"type":"WARN","text":"call not properly authenticated"}]}

I tried creating a new folder in /opt/splunk/etc/shcluster/apps/testing/local/outputs.conf

I tried installing an app in /opt/splunk/etc/shcluster/apps/datagovernance

... same results/error/

Splunk shcluster-status shows all the cluster members are good and "up". I can't push an app through the deployer.

Stuck. Help?


0 Karma


Did you resolve your issue? Experiencing the same issue myself. I tried to re-enter the passkey and shcluster label, then restart Splunk service. No luck

0 Karma


I had to editthe pass4SymmKey and restart on the deplyer.

pass4SymmKey = yourKey

But I also had to do do that on the search heads too (and restart). There was no pass4SymmKey value under the shclustering stanza. There was in other parts of the file, but not under that stanza. I added that value and restarted, my apply shcluster bundle command worked just fine.

Put the apps in the /opt/splunk/etc/shcluster/apps directory on the Deployer and identify which search head is the current captain. Then run:

/opt/splunk/bin/splunk apply shcluster-bundle -target https://currentCaptain:8089


Hi @joesrepsolc So for admin:secretkey are you actually using admin:password ?

I just wanted to check that you were not using the secret key from the shclustering stanza but the actual admin password.

pass4SymmKey = yoursecretkey

I always leave off the auth and have it prompt me. That way the password is not in the history.

0 Karma


I've ran this command without the -auth portion... and it doesn't even prompt me for credentials. Instead I get::

Non-200/201 status_code=401; {"messages":[{"type":"WARN","text":"call not properly authenticated"}]}

I've looked at the search head cluster status (splunk show shcluster-status) and everything is up, working great. I've even made a report and dashboard on one cluster member and it's replicating to the other members just fine. I still can't push out an app!!!! Killing me.

Any help would be much appreciated.

0 Karma


Correct. I am using the actual admin password (just using "secretkey" as a placeholder... 🙂 )

I am now checking with networking to see if the replication port between SH's is open. Guessing that may be the next logical step to check.

0 Karma
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...