Reporting

splunk universal forwarder installation No users exist. Please set up a user

sachinkiet
Explorer

I am trying to installation Splunk UF on one of linux machine and when i run the below command, it gives me No users exist error even i have tried from root user as well->

/opt/splunkforwarder/bin/splunk add forward-server indexe_ip_address:9997 -auth 'splunkuser:splunkpassword’
No users exist. Please set up a user.

@woodcock 

Labels (1)
0 Karma

woodcock
Esteemed Legend

It is not talking about a user for the host OS but rather a user for Splunk which is no longer created by default (Google user-prefs.conf).  In any case, you are doing it all wrong.  You shod NEVER use the splunk CLI for configuration. (Except for SHC) because it dumps config output files into $SPLUNK_HOME/etc/system/local and can never be overridden by Deployment Server.  Instead use a custom app with outputs.conf and push it out from the DS.  Yes, this means that you should only be scripting the creation of a custom app that has a deploymentclient.conf file.  Also, for that CLI command, I am pretty sure no -auth argument is required.

ephemeric
Contributor

We tried this setup a long time ago: had our DS deploy an app with a deploymentclient.conf so we could control the DS location.

All was good until we decided to migrate our DS to another host. The new DS was accidentally started without any apps in place. The behaviour of Splunk at the time (unsure if it's any different now): all SUF clients connected, saw there were no apps, proceeded to delete all of their apps on the localhost!

So your deploymentclient.conf is now gone and we lost 400 SUFs as they were trying to connect with no config.

We had an amazing team and client and we recovered 80% of the SUFs in 24 hours!

I would suggest using DNS to control IP changes to your DS etc.

PS You can edit etc/system/local/* as we did by deploying an app with a script that makes edits to those files (sed and awk). Same danger here though: one mistake and it's over.

Do Canary Releases!

richgalloway
SplunkTrust
SplunkTrust

The UF needs a local (application-defined) user account for most commands.  This account usually is created the first time the UF runs.  If you did not do that then there is a way to create a user account manually.  See https://docs.splunk.com/Documentation/Splunk/8.2.1/Installation/StartSplunkforthefirsttime#Create_ad...

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...