Installation
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to resolve error when installing Splunk Credentials Package (splunkclouduf.spl)?

jamie1
Communicator
‎06-06-2023 06:48 AM

Hi There,

I am currently trying to install a Splunk Universal Forwarder on a Linux server (Ubuntu 18.04).

I have installed the forwarder but am receiving the following error when trying to install the credentials pacakge:

 

 

Error during app install: failed to extract app from /tmp/splunkcloud.spl to /opt/splunkforwarder/splunkforwarder/var/run/splunk/bundle_tmp/08fff82e60ae81e9: No such file or directory

 

 

I transferred the file to the server using WinSCP and I have confirmed that the splunkcloud.spl file exists in the /tmp folder. I have also made sure that the permissions are correct on the directory.

Any help would be appreciated,

Jamie

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎06-06-2023 08:00 AM

Ok, this explains the error. If you don’t want to change to real user which are running splunkd, then you must stop splunk, then extract that package to correct directory, change those files to owned by splunk user and then start splunk again.

What I have seen, is that you shouldn’t use other user than splunk to use install apps with 

splunk install app too.spl

Have you try to use

sudo -u splunk bash

 To switch your splunk user? I think that this doesn’t need to use MFA?

View solution in original post

Reply
Solved! Jump to solution

SinghK
Builder
‎06-06-2023 06:56 AM

if its a normal linux server use 

https://www.splunk.com/en_us/download/universal-forwarder.html?locale=en_us

else if this splunk cloud instance then check the article below-

https://docs.splunk.com/Documentation/Forwarder/9.0.4/Forwarder/ConfigSCUFCredentials 

0 Karma
Reply
Solved! Jump to solution

jamie1
Communicator
‎06-06-2023 06:58 AM

It's a normal Linux server and the first link you sent (https://www.splunk.com/en_us/download/universal-forwarder.html?locale=en_us&_ga=2.140976370.15623588....) is the guide that I have been following.

I get to step 5 and then it throws the error.

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎06-06-2023 07:08 AM

Hi

have you already running UF before you are installing that package? If not do the next steps

  1. Download UF (not the connection package)
  2. Install it
  3. Start it as desired user
    1. It create admin user with password selected by You
  4. Stop it
  5. Enable bootstart as Splunk User by root
  6. Start it
  7. install connection package which you have downloaded from Splunk Cloud site
  8. Restart splunkforwarder

r. Ismo 

0 Karma
Reply
Solved! Jump to solution

jamie1
Communicator
‎06-06-2023 07:16 AM

Hi There,

I stopped the service, enabled the bootstart for the splunk user, started it again and received the same error.

Jamie

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎06-06-2023 07:44 AM

Which user you are running splunk and which user you try to install it (both os and splunk internal)?

0 Karma
Reply
Solved! Jump to solution

jamie1
Communicator
‎06-06-2023 07:46 AM

I'm using the root user to run the command and the splunk local account for the credentials. Ideally I don't want to switch accounts as it will require me to fiddle with our MFA software to allow the local user to sign in.

0 Karma
Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎06-06-2023 08:00 AM

Ok, this explains the error. If you don’t want to change to real user which are running splunkd, then you must stop splunk, then extract that package to correct directory, change those files to owned by splunk user and then start splunk again.

What I have seen, is that you shouldn’t use other user than splunk to use install apps with 

splunk install app too.spl

Have you try to use

sudo -u splunk bash

 To switch your splunk user? I think that this doesn’t need to use MFA?

Reply
Solved! Jump to solution

jamie1
Communicator
‎06-06-2023 08:14 AM

Hi There,

Switching to the splunk account using the command you recommended me worked, however I had to add it to sudoers.

Would I be safe to remove the splunk account from sudoers or is it better to leave it there?

Jamie

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎06-06-2023 08:39 AM

Personally I prefer to keep it there with minimum users to switch to it. Usually you should have some automation and configuration management system which are handling these.

Reply
Solved! Jump to solution

jamie1
Communicator
‎06-06-2023 08:40 AM

Thanks for your help!!

0 Karma
Reply
Solved! Jump to solution

SinghK
Builder
‎06-06-2023 07:01 AM

I am not sure what your architecture is but use .rpm its use command line installation.  you have all the steps listed here. 

https://docs.splunk.com/Documentation/Forwarder/9.0.4/Forwarder/Installanixuniversalforwarder 

0 Karma
Reply
Solved! Jump to solution

jamie1
Communicator
‎06-06-2023 07:06 AM

The forwarder is already installed, the error is with the credentials package.

0 Karma
Reply
Solved! Jump to solution

SinghK
Builder
‎06-06-2023 07:15 AM

I would recommend uninstall and reinstall using the link I sent.

0 Karma
Reply
Solved! Jump to solution

jamie1
Communicator
‎06-06-2023 07:17 AM

The service appears to be functioning normally, so I'm not sure why uninstalling and reinstalling the forwarder would make a difference?

0 Karma
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
Top