Splunk Enterprise

How do I install Splunk universal forwarder 8.2.6?

Loves-to-Learn Lots


I am trying to install latest version of Splunk universal forwarder using chef cookbook and getting error. Earlier in version 6.5.0, once rpm installed using rpm -ivh splunkuniversal-xx.rpm, I used to run command as:

/splunkuniversal/bin/splunk enable boot-start --accept-license --answer-yes

and then change the password

/splunkuniversal/bin/splunk edit user admin -password xxxxx -roles admin -auth admin:xxxxxx

service splunk start

but now in version 8.2.6, after rpm install, when I am trying to run above commands, it is asking to create user. Is there any change in installation process and how I can automate it again via chef cookbook so hat it should not prompt for user creation ?



Labels (1)
Tags (1)
0 Karma


Splunk has changed the requirements that you must create an "admin" user with password when you are starting a splunk if you haven't that yet.

Here is a way how you can set it in ansible unfortunately I haven't any examples done by chef.

    - name: "Hash the password"
      command: "{{ splunk.exec }} hash-passwd {{ splunk.password }}"
      register: hashed_pwd
      changed_when: hashed_pwd.rc == 0
      become: yes
      become_user: "{{ splunk.user }}"
      no_log: "{{ hide_password }}"

    - name: "Generate user-seed.conf (Linux)"
        owner: "{{ splunk.user }}"
        group: "{{ splunk.group }}"
        dest: "{{ splunk.home }}/etc/system/local/user-seed.conf"
        section: user_info
        option: "{{ item.opt }}"
        value: "{{ item.val }}"
        mode: 0644
        - {opt: 'USERNAME', val: '{{ splunk.admin_user }}'}
        - {opt: 'HASHED_PASSWORD', val: '{{ hashed_pwd.stdout }}'}
        label: "{{ item.opt }}"
      when: ansible_system is match("Linux")
      become: yes
      become_user: "{{ splunk.user }}"
      no_log: "{{ hide_password }}"

Another way is if you have older version on place then just ensure that you have admin user there with non standard password before you are updating rpm (update not remove + install).

r. Ismo

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Customer Survey!

If you use Splunk Observability Cloud, we invite you to share your valuable insights with us through a brief ...

Happy CX Day, Splunk Community!

Happy CX Day, Splunk Community! CX stands for Customer Experience, and today, October 3rd, is CX Day — a ...

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...