Universal Forwarder & Associated Certificate Package Upgrade


Hi Team,

Our Splunk instance is hosted in Cloud and maintained by Splunk Support. So recently we got an email from Splunk Support stating that our Universal Forwarder & Associated Certificate Package has been upgraded to latest version since it is going to expire in couple of days and they have requested us to download and install the UF package from Search Head and rollout to all our Client machines since they are planning to upgrade the package in the indexer level in a couple of days.

So our architecture is that we have 1 Deployment master server and 4 HF servers. Search heads , Cluster master , Indexers etc. are managed by Splunk Support.

So usually we used to push the customized apps and as well as forwarder apps from our Deployment master server to all our client machines. and moreover all our Splunk servers DM & HF are running with Linux OS.

So as per the documentation I have downloaded the "splunkclouduf.spl" credentials package from our Search head and placed it in /opt/splunk/etc/deployment-apps folder in our DM server then as mentioned I have untar the file so after untar the file I can see a new folder as "100_xxxx_splunkcloud"

Later it is mentioned to install the credentials package so in here in this case it is mentioned to choose the path of splunkclouduf.spl so should i need to choose which path and install it?

/opt/splunk/etc/deployment-apps/splunkclouduf.spl (OR) /opt/splunk/etc/deployment-apps/100_xxxx_splunkcloud 

I am quite not sure hence I am struck over here and didn't installed the credentials yet so kindly help to check and update please.

And post installation of credentials package it is mentioned to restart the Splunk instance in the DM server. 

So post installation in my DM server how do I push them to all client machines? Do i need to edit the existing forwarder outputs app (which is pushed to all client machines and HF)

Since we already have an app "forwarder_outputs" which we have pushed to all client machines. So in this app we have local and metadata folder in it. And in local folder we have limits.conf, outputs.conf, xxx_cacert.pem & xxx_server.pem file and in metadata folder we have local.meta so now what are the files do i need to modify post installing the credential package in DM server and push them to all client machines so that the UF package would be running with latest version.

So kindly help on my request .



Labels (2)
0 Karma


There is no method to "push" an app from the Deployment Server (DS) to clients.  What happens is the client contacts the DS, gets a list of apps, then downloads those apps that have changed recently.

Once you download and unpack the splunkclouduf.spl file into the deployment-apps directory, all should be good.  The DS will take care of everything.

If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...