@amiracle I can't speak for @bishopolis but I expect most of us simply want Splunk to post public repos with Splunk software in RPM and DEB formats.

That way we can set up our automated mirrors/satellite to obtain the latest Splunk version and even patch Universal Forwarders without any human input.

Most other software we using in our Linux environment doesn't require us to manually log in and download updates every month (or so).

Very well stated.  That is all we are looking for as well.  Thanks!

Do you have an update on this please?
It would save my team manual work every month at least (more for urgent security updates).

The lack of public repos is particularly frustrating for Debian/Ubuntu clients. This is because I will have to set up my own signed repository just to distribute packages which were already signed by Splunk.

It is not possible to just drop the Splunk-signed packages on my apt-mirror, I have to sign the repository itself (or used unsigned packages!)

At least Red-Hat based OSes only require basic repo (and it can be imported in to Satellite 6 easily)

Fantastic! But don't be teasing us, now 😉

Soon as you have info I'd love to hear it -- of course!

Sure but that's still treating Splunk content like a special snowflake. I just want to sync the damn rpms into our enterprise the way all the others happen. If even stuck-in-the-1990s Dell can manage, so can Splunk.

Is splunk considering any feature update to accommodate the yum repository instead of this individual downloads?

This is done by accepting the terms of service when a user logs in and downloads the software.

The solution is that users can create their own Yum [Repos] and update them using the cURL command listed in the Download page for each version. Once you've setup your own private repo, then you can run yum install splunkforwarder -y and install your forwarder.

It's trivially done by ensuring customers use their own custom credentials to access the repo, embedded in the yum repo URL.  This also provides excellent logging which I'm sure will be the next insurmountable micro-obstacle.

HI all,

I'm not sure that the repo has to be publicly available to meet the purposes of the requester of this feature.

There are companies (RedHat and EnterpriseDB, for example) that offer authenticated YUM repositories that are not publicly accessible, but still allow their customers to download and manage their packages via YUM.

In that vein, here is a github repo that has a script that I wrote to perform a nightly download of the splunk-enterprise and splunk-universal-forwarder packages and generate a local YUM repo from them.

https://github.com/grangerx/splunk-yum-repo

I've been using it for a while, and it seems to get the job done in my case.

Note: You'll have to give it a splunk.com login for it to be able to download the packages in an authenticated manner.

Thanks,

GrangerX

The problem with the method you suggest is that you must supply all of the version information for the forwarder when doing the wget command, and there doesn't seem a simple way to automate providing this information.  For example, to get the current version of the forwarder (as of this writing), you need to execute:

wget -O splunkforwarder-8.0.6-152fb4b2bb96-linux-2.6-x86_64.rpm 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version...'

How do you automate the "version=8.0.6" and "filename=splunkforwarder-8.0.6-152fb4b2bb96-linux-2.6-x86_64.rpm" values to be able to execute the "wget" command?

Oh, that makes me feel better, I'm sure that Exhibit A, line 17 has done wonders in protecting us from Enemies of the State. I understand accepting it once, but on every update? On the Forwarders? Please. I bet you heard that from one of their lawyers... 😉

On a lighter note:
We have a private repo, and it works great for everything including the forwarder updates. The problem is that when the Splunk process restarts, it prompts for the license agreement and asks if you want to migrate the database. Yes, I'm aware of the switches we can use, but this can't be automated without some kind of post-processing (script). The upshot is, if we drop a Splunk update in our repos, and folks run 'yum update' across their enclave -- their Splunk instances don't restart -- and the only indication to me is that I notice I haven't seen a bunch of systems reporting in after after a while. With NIST 800-171 breathing down our necks (end-point log monitoring), that's not good.

Are you implying that you've done this, and you don't have that problem?

thanks,
Mike

I've done this using automation tools such as Chef, Puppet and Ansible. I also use the tgz files instead of RPM's, more of a preference on my part. That is a more scalable solution since I can control the deployment and the orchestration of the update. I agree that a yum / apt repo would be nice to have and I've asked for it too.

Thanks,
Kam

Additionally, here is a blog post to help with using a repo server and installing splunk binaries: http://www.rfaircloth.com/2017/03/07/automating-splunk-deployment-redhatcentos-poor-mans-edition/

cp splunkforwarder*.rpm /opt/splunkrepo

Here's where that post skips over the part we want, but does add some flash and finish we can figure ourselves.

This only solves a minor part of the problem. People asking for a YUM repo mostly aren't asking because they want to install updates direct from a YUM repository, but because we want an easy sync source for our own pre-existing internal YUM repos that takes the human factor out of checking the main site by hand for updated packages, downloading them and re-publishing them internally. With Satellite or Pulp, all that would happen automatically based on pre-defined sync and publish rules.

Splunk is currently the ONLY vendor I have to do this archaic nonsense by hand with still. Everything else is synced automatically overnight into Satellite and pre-defined rules specify the workflow from there.

But, don't you feel safer knowing that Exhibit A, line 17 is protecting Freedom, Heros, and Apple Pie? 😉

No change, AFAIK.

Splunk engineers tell me the assumption is that people are using 3rd party products (i.e. Puppet). That's fine if you have staff to support that. But we're just a "medium" sized organization so I'm facing about 1,000 systems (and separate sys-admin groups all doing their own thing) to update manually (i.e. no Puppet). All because Splunk lawyers feel it's necessary for us to acknowledge the freakin' license agreement after every update. After seeing enough of their presentations with that retarded first slide they always put up ("Disclaimer...!") I'm not surprised. Do I sound bitter about this? 'cause I am...