Installation

How to resolve error when installing Splunk Credentials Package (splunkclouduf.spl)?

jamie1
Communicator

Hi There,

I am currently trying to install a Splunk Universal Forwarder on a Linux server (Ubuntu 18.04).

I have installed the forwarder but am receiving the following error when trying to install the credentials pacakge:

 

 

Error during app install: failed to extract app from /tmp/splunkcloud.spl to /opt/splunkforwarder/splunkforwarder/var/run/splunk/bundle_tmp/08fff82e60ae81e9: No such file or directory

 

 

I transferred the file to the server using WinSCP and I have confirmed that the splunkcloud.spl file exists in the /tmp folder. I have also made sure that the permissions are correct on the directory.

Any help would be appreciated,

Jamie

Labels (2)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

Ok, this explains the error. If you don’t want to change to real user which are running splunkd, then you must stop splunk, then extract that package to correct directory, change those files to owned by splunk user and then start splunk again.

What I have seen, is that you shouldn’t use other user than splunk to use install apps with 

splunk install app too.spl

Have you try to use

sudo -u splunk bash

 To switch your splunk user? I think that this doesn’t need to use MFA?

View solution in original post

SinghK
Builder
0 Karma

jamie1
Communicator

It's a normal Linux server and the first link you sent (https://www.splunk.com/en_us/download/universal-forwarder.html?locale=en_us&_ga=2.140976370.15623588....) is the guide that I have been following.

I get to step 5 and then it throws the error.

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

have you already running UF before you are installing that package? If not do the next steps

  1. Download UF (not the connection package)
  2. Install it
  3. Start it as desired user
    1. It create admin user with password selected by You
  4. Stop it
  5. Enable bootstart as Splunk User by root
  6. Start it
  7. install connection package which you have downloaded from Splunk Cloud site
  8. Restart splunkforwarder

r. Ismo 

0 Karma

jamie1
Communicator

Hi There,

I stopped the service, enabled the bootstart for the splunk user, started it again and received the same error.

Jamie

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Which user you are running splunk and which user you try to install it (both os and splunk internal)?

0 Karma

jamie1
Communicator

I'm using the root user to run the command and the splunk local account for the credentials. Ideally I don't want to switch accounts as it will require me to fiddle with our MFA software to allow the local user to sign in.

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Ok, this explains the error. If you don’t want to change to real user which are running splunkd, then you must stop splunk, then extract that package to correct directory, change those files to owned by splunk user and then start splunk again.

What I have seen, is that you shouldn’t use other user than splunk to use install apps with 

splunk install app too.spl

Have you try to use

sudo -u splunk bash

 To switch your splunk user? I think that this doesn’t need to use MFA?

jamie1
Communicator

Hi There,

Switching to the splunk account using the command you recommended me worked, however I had to add it to sudoers.

Would I be safe to remove the splunk account from sudoers or is it better to leave it there?

Jamie

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Personally I prefer to keep it there with minimum users to switch to it. Usually you should have some automation and configuration management system which are handling these.

jamie1
Communicator

Thanks for your help!!

0 Karma

SinghK
Builder

I am not sure what your architecture is but use .rpm its use command line installation.  you have all the steps listed here. 

https://docs.splunk.com/Documentation/Forwarder/9.0.4/Forwarder/Installanixuniversalforwarder 

0 Karma

jamie1
Communicator

The forwarder is already installed, the error is with the credentials package.

0 Karma

SinghK
Builder

I would recommend uninstall and reinstall using the link I sent.

0 Karma

jamie1
Communicator

The service appears to be functioning normally, so I'm not sure why uninstalling and reinstalling the forwarder would make a difference?

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...