I am trying to installation Splunk UF on one of linux machine and when i run the below command, it gives me No users exist error even i have tried from root user as well->
/opt/splunkforwarder/bin/splunk add forward-server indexe_ip_address:9997 -auth 'splunkuser:splunkpassword’
No users exist. Please set up a user.
It is not talking about a user for the host OS but rather a user for Splunk which is no longer created by default (Google user-prefs.conf). In any case, you are doing it all wrong. You shod NEVER use the splunk CLI for configuration. (Except for SHC) because it dumps config output files into $SPLUNK_HOME/etc/system/local and can never be overridden by Deployment Server. Instead use a custom app with outputs.conf and push it out from the DS. Yes, this means that you should only be scripting the creation of a custom app that has a deploymentclient.conf file. Also, for that CLI command, I am pretty sure no -auth argument is required.
We tried this setup a long time ago: had our DS deploy an app with a deploymentclient.conf so we could control the DS location.
All was good until we decided to migrate our DS to another host. The new DS was accidentally started without any apps in place. The behaviour of Splunk at the time (unsure if it's any different now): all SUF clients connected, saw there were no apps, proceeded to delete all of their apps on the localhost!
So your deploymentclient.conf is now gone and we lost 400 SUFs as they were trying to connect with no config.
We had an amazing team and client and we recovered 80% of the SUFs in 24 hours!
I would suggest using DNS to control IP changes to your DS etc.
PS You can edit etc/system/local/* as we did by deploying an app with a script that makes edits to those files (sed and awk). Same danger here though: one mistake and it's over.
Do Canary Releases!
The UF needs a local (application-defined) user account for most commands. This account usually is created the first time the UF runs. If you did not do that then there is a way to create a user account manually. See https://docs.splunk.com/Documentation/Splunk/8.2.1/Installation/StartSplunkforthefirsttime#Create_ad...