Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to resolve error when installing Splunk Credentials Package (splunkclouduf.spl)?

jamie1
Communicator
‎06-06-2023 06:48 AM

Hi There,

I am currently trying to install a Splunk Universal Forwarder on a Linux server (Ubuntu 18.04).

I have installed the forwarder but am receiving the following error when trying to install the credentials pacakge:

 

 

Error during app install: failed to extract app from /tmp/splunkcloud.spl to /opt/splunkforwarder/splunkforwarder/var/run/splunk/bundle_tmp/08fff82e60ae81e9: No such file or directory

 

 

I transferred the file to the server using WinSCP and I have confirmed that the splunkcloud.spl file exists in the /tmp folder. I have also made sure that the permissions are correct on the directory.

Any help would be appreciated,

Jamie

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎06-06-2023 08:00 AM

Ok, this explains the error. If you don’t want to change to real user which are running splunkd, then you must stop splunk, then extract that package to correct directory, change those files to owned by splunk user and then start splunk again.

What I have seen, is that you shouldn’t use other user than splunk to use install apps with 

splunk install app too.spl

Have you try to use

sudo -u splunk bash

 To switch your splunk user? I think that this doesn’t need to use MFA?

View solution in original post

Reply
Solved! Jump to solution

SinghK
Builder
‎06-06-2023 06:56 AM

if its a normal linux server use 

https://www.splunk.com/en_us/download/universal-forwarder.html?locale=en_us

else if this splunk cloud instance then check the article below-

https://docs.splunk.com/Documentation/Forwarder/9.0.4/Forwarder/ConfigSCUFCredentials 

0 Karma
Reply
Solved! Jump to solution

jamie1
Communicator
‎06-06-2023 06:58 AM

It's a normal Linux server and the first link you sent (https://www.splunk.com/en_us/download/universal-forwarder.html?locale=en_us&_ga=2.140976370.15623588....) is the guide that I have been following.

I get to step 5 and then it throws the error.

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎06-06-2023 07:08 AM

Hi

have you already running UF before you are installing that package? If not do the next steps

  1. Download UF (not the connection package)
  2. Install it
  3. Start it as desired user
    1. It create admin user with password selected by You
  4. Stop it
  5. Enable bootstart as Splunk User by root
  6. Start it
  7. install connection package which you have downloaded from Splunk Cloud site
  8. Restart splunkforwarder

r. Ismo 

0 Karma
Reply
Solved! Jump to solution

jamie1
Communicator
‎06-06-2023 07:16 AM

Hi There,

I stopped the service, enabled the bootstart for the splunk user, started it again and received the same error.

Jamie

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎06-06-2023 07:44 AM

Which user you are running splunk and which user you try to install it (both os and splunk internal)?

0 Karma
Reply
Solved! Jump to solution

jamie1
Communicator
‎06-06-2023 07:46 AM

I'm using the root user to run the command and the splunk local account for the credentials. Ideally I don't want to switch accounts as it will require me to fiddle with our MFA software to allow the local user to sign in.

0 Karma
Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎06-06-2023 08:00 AM

Ok, this explains the error. If you don’t want to change to real user which are running splunkd, then you must stop splunk, then extract that package to correct directory, change those files to owned by splunk user and then start splunk again.

What I have seen, is that you shouldn’t use other user than splunk to use install apps with 

splunk install app too.spl

Have you try to use

sudo -u splunk bash

 To switch your splunk user? I think that this doesn’t need to use MFA?

Reply
Solved! Jump to solution

jamie1
Communicator
‎06-06-2023 08:14 AM

Hi There,

Switching to the splunk account using the command you recommended me worked, however I had to add it to sudoers.

Would I be safe to remove the splunk account from sudoers or is it better to leave it there?

Jamie

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎06-06-2023 08:39 AM

Personally I prefer to keep it there with minimum users to switch to it. Usually you should have some automation and configuration management system which are handling these.

Reply
Solved! Jump to solution

jamie1
Communicator
‎06-06-2023 08:40 AM

Thanks for your help!!

0 Karma
Reply
Solved! Jump to solution

SinghK
Builder
‎06-06-2023 07:01 AM

I am not sure what your architecture is but use .rpm its use command line installation.  you have all the steps listed here. 

https://docs.splunk.com/Documentation/Forwarder/9.0.4/Forwarder/Installanixuniversalforwarder 

0 Karma
Reply
Solved! Jump to solution

jamie1
Communicator
‎06-06-2023 07:06 AM

The forwarder is already installed, the error is with the credentials package.

0 Karma
Reply
Solved! Jump to solution

SinghK
Builder
‎06-06-2023 07:15 AM

I would recommend uninstall and reinstall using the link I sent.

0 Karma
Reply
Solved! Jump to solution

jamie1
Communicator
‎06-06-2023 07:17 AM

The service appears to be functioning normally, so I'm not sure why uninstalling and reinstalling the forwarder would make a difference?

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...