Deployment Architecture

Why can't I get the deployer to push apps to search head cluster members after a new Splunk installation?


Having this same issue now on a brand new Splunk setup (7.2.2). Search head cluster is (3), and (1) deployer. I got everything dialed in, but this command keeps generating the same message. I've tried against the captain, and not a captain — same result.

Running command on the Deployer:

Splunk apply shcluster-bundle -target https://SHCaptainName:8089 -auth admin:secretkey


Error while deploying apps to first member: Error while fetching apps baseline on

target=https://SHCaptainName:8089: Non-200/201 status_code=401; {"messages":[{"type":"WARN","text":"call not properly authenticated"}]}

I tried creating a new folder in /opt/splunk/etc/shcluster/apps/testing/local/outputs.conf

I tried installing an app in /opt/splunk/etc/shcluster/apps/datagovernance

... same results/error/

Splunk shcluster-status shows all the cluster members are good and "up". I can't push an app through the deployer.

Stuck. Help?


0 Karma


Did you resolve your issue? Experiencing the same issue myself. I tried to re-enter the passkey and shcluster label, then restart Splunk service. No luck

0 Karma


I had to editthe pass4SymmKey and restart on the deplyer.

pass4SymmKey = yourKey

But I also had to do do that on the search heads too (and restart). There was no pass4SymmKey value under the shclustering stanza. There was in other parts of the file, but not under that stanza. I added that value and restarted, my apply shcluster bundle command worked just fine.

Put the apps in the /opt/splunk/etc/shcluster/apps directory on the Deployer and identify which search head is the current captain. Then run:

/opt/splunk/bin/splunk apply shcluster-bundle -target https://currentCaptain:8089


Hi @joesrepsolc So for admin:secretkey are you actually using admin:password ?

I just wanted to check that you were not using the secret key from the shclustering stanza but the actual admin password.

pass4SymmKey = yoursecretkey

I always leave off the auth and have it prompt me. That way the password is not in the history.

0 Karma


I've ran this command without the -auth portion... and it doesn't even prompt me for credentials. Instead I get::

Non-200/201 status_code=401; {"messages":[{"type":"WARN","text":"call not properly authenticated"}]}

I've looked at the search head cluster status (splunk show shcluster-status) and everything is up, working great. I've even made a report and dashboard on one cluster member and it's replicating to the other members just fine. I still can't push out an app!!!! Killing me.

Any help would be much appreciated.

0 Karma


Correct. I am using the actual admin password (just using "secretkey" as a placeholder... 🙂 )

I am now checking with networking to see if the replication port between SH's is open. Guessing that may be the next logical step to check.

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...