I'm working on building a remote deployment for the Splunk Universal Forwarder with PDQ Deploy on our Windows 10 computers. I can run the initial splunk forwarder .msi installation without issue, but when I try to run the .spl file to sync the computer to our Splunk cloud environment, it errors out every time.
The command I'm using works fine when I run it locally, but I get "login failed" when I run it through PDQ.
cd "C:\Program Files\SplunkUniversalForwarder\bin"
splunk install app \splunkclouduf.spl -auth username:password
Is there a tweak I can make to the command or another way to accomplish the sync to our cloud environment?
Thanks in advance!
I am having this same issue were you able to resolve it? If so, what steps did you take?
What I ended up doing was copying the .spl file here (after creating the Desktop folder) C:\Program Files\SplunkUniversalForwarder\bin\Desktop.
Then I copy the applicable Forwarder Management app folders are here: C:\Program Files\SplunkUniversalForwarder\etc\apps. The best way I found was to compare the folders on your test machine to a computer that you previously set up "correctly," and then copy over any missing folders. These will generally be the same folders every time.
Then I open an administrator command prompt and run these commands:
cd "C:\Program Files\SplunkUniversalForwarder\bin"
splunk restart
Once the last command finishes, you should be good to go.
My PDQ deployment looks like this:
Step 1: Install Universal Forwarder
Step 2: Powershell script
New-Item -ItemType "directory" -Path "c:\\program Files\SplunkUniversalForwarder\bin\Desktop"
Step 3: File Copy- Copy .spl file into the folder created in step 2.
Step4: File Copy- Copy any needed app folders into here (if multiple app folders need to be copied over, each folder will be its own step in PDQ):
c:\\Program Files\SplunkUniversalForwarder\etc\apps
Step 5: Command Prompt-
cd "C:\Program Files\SplunkUniversalForwarder\bin"
splunk restart
Hope this is helpful!
Hello,
Could you try to unpack the splunkclouduf.spl package and move it to the C:\Program Files\SplunkUniversalForwarder\etc\apps\ folder and then restart the UF instance?
Something like that:
tar xvf splunkclouduf.spl
mv <extracted_folder> C:\Program Files\SplunkUniversalForwarder\etc\apps\
splunk restart
I gave that a try but the computer still doesn't show up in the cloud.