Getting Data In

Is there any way in which we can download the apps from splunk base without having to manually download the tar file?



We are planning to automate the Splunk application installation and configuration process for quicker provisioning.

In this scenario, our first step is to install the splunk app from CLI, for which we use this command:

./splunk install app

However it gives an error saying:

Error during app install: failed to extract app from /opt/splunk/var/run/87b95d9a426d8ebd.tar.gz to /opt/splunk/var/run/splunk/bundle_tmp/91801e5fc0eab8b4: No such file or directory

Is there any way in which we can download the apps from splunkbase without having to manually download the tar file.



I script something by myself and I want to share it with you. 


My Inspiration is from @tfrederick74656  but his script dosnt work for me very well.


Happy splunking and let me know if something dosnt work.


0 Karma


This is how it works if you want to script around it.

You'll need 'jq' ... apt-get install jq. 

Get a session key, sessionid is its name.


curl -k -XPOST -D - -d 'username=username&password=password'


View all releases for app


curl -sS -H "X-Auth-Token: token" | jq '.[] | {name}'


View latest release version. Pretty sure index 0 is always the latest


curl -sS -H "X-Auth-Token: token" | jq '.[0] | {name}'


Request version. Note the ?origin=sb query string. Also note, different hostname and different api version.


curl -sS -H "X-Auth-Token: token” -D -\?origin\=sb


http/302 is returned linking to file location. Grab that url with wget.


Fun fact, if you don't know what the appid is for a particular addon and its on splunkbase, you can make a request like so, using the app title (eg folder name) 


curl -k -D -


This will (mostly) return a 302 to the splunkbase url


HTTP/2 302 
content-type: text/html; charset=utf-8



Tags (1)
0 Karma


Building on @mabrafoo's answer, I wrote a standalone script to do this. It allows you to authenticate to Splunkbase and download an app without the need for a separate web browser. Once you have the app.tgz, you can use the standard ./splunk install app <filename> syntax.

0 Karma

Loves-to-Learn Lots



I tried the script and got this:

0Warning: Remote filename has no length!


curl: (23) Failed writing body (0 != 16195)

I also tried forcing the specific URL of an app and got the same result.

Any ideas?

Thank you.

0 Karma


Hi @Luis_Torres,

First, are you specifying the sid and SSOID arguments (example values show below) when running download? You'll get an error message just like this if you don't specify them, if the values are incorrect, or if the session they refer to is expired. All Splunkbase downloads are authenticated, so it's mandatory to supply these. The sid value is case-sensitive alphanumeric, so it can be easy to mistake "0" "o" and "O", for example. The SSOID value should be all hexadecimal (0-9, a-f).


It's also worth double-checking that you actually have permissions to write to the directory where you're saving to. By default, the script will write to your current directory.

If none of that works, can you let me know if this is happening for all apps, or only a single app? If the latter, can you let me know the App ID and App Version you're trying to download?


0 Karma


Seeing these posts being so recent, I was hoping to get this to work. I like this better than the curlfire suggestion as this is possible to completely automate the downloads. So if possible I would like to get this working.

@tfrederick74656 I would like to help if there is still a chance of getting it to work.

0 Karma

New Member

I tried this and had problems.

I experienced the same issue of remote filename has no length.
Where did you find the documentation for the okta/auth endpoint?

When I plugged in the sessionid from my browser and added the cookie 'splunkbase_cookied_policy_accepted=true'
it then worked.

But the sid and SSOID combination with the additional cookie would not work.

Also the script needed if  [ "$1" == "1" ] on line 53 to work correctly.

0 Karma


Here is one way to do it. Use at your own risk.

curlfire will access the firefox cookies so that we can avoid the "please log in to download" message that curl would get.

For this example the app is the splunk add-on for Unix and Linux. The url says it is app 833. These instructions assume we know that the app id number is 833.

After running this command
username@computername:~/Downloads/splunk/curlfire-master$ ./curlfire "" | grep 833 | grep download | grep release

The output is

Now we know the Download URL for the latest version is

Download the file using curlfire (see notes for curlfire chanages to make it work better below)
username@computername:~/Downloads/splunk/curlfire-master$ ./curlfire ""

curl: Saved to filename 'splunk-add-on-for-unix-and-linux_600.tgz'

In order to get the download to work properly, 3 flags were changed when curl was run in the curlfire bash file.

curl -b "$curlcookies" "${args[@]}" ;
curl -O -J -L -b "$curlcookies" "${args[@]}" ;

option -O Write output to a local file name like the remote file
option -J Tell the -O option to use the filename found in the http header
option -L Follow redirects

Also, after looking at a random script that I downloaded from github I usually will change this.


to this.

!/bin/bash -x

in order to display all of the bash scripts commands and their expanded arguments.

And obviously don't forget to change your curl user agent to something common like "I ❤️ splunk."


In order to download Apps from Splunkbase you need to be signed on to Splunkbase. Are you doing anything to sign on?

Personally, I wouldn't recommend automatically installing things that are downloaded fresh off the internet. How do you know it doesn't break your environment?
I'd keep a local repository of known good / fixed versions and install automatically from there.

Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...