This is how it works if you want to script around it. You'll need 'jq' ... apt-get install jq.  Get a session key, sessionid is its name.   curl -k -XPOST -D - https://splunkbase.splunk.com/api/account:login/ -d 'username=username&password=password'   View all releases for app   curl -sS -H "X-Auth-Token: token" https://splunkbase.splunk.com/api/v1/app/3110/release/ | jq '.[] | {name}'   View latest release version. Pretty sure index 0 is always the latest   curl -sS -H "X-Auth-Token: token" https://splunkbase.splunk.com/api/v1/app/3110/release/ | jq '.[0] | {name}'   Request version. Note the ?origin=sb query string. Also note, different hostname and different api version.   curl -sS -H "X-Auth-Token: token” -D - https://api.splunkbase.splunk.com/api/v2/apps/3110/releases/4.5.2/download/\?origin\=sb   http/302 is returned linking to file location. Grab that url with wget.    https://cdn.splunkbase.splunk.com/media/private/signed_3110_28526_1677516671.tgz?response-content-disposition=attachment%3Bfilename%3D%22splunk-add-on-for-microsoft-cloud-services_452.tgz   Fun fact, if you don't know what the appid is for a particular addon and its on splunkbase, you can make a request like so, using the app title (eg folder name)    curl -k -D - https://apps.splunk.com/apps/id/Splunk_TA_microsoft-cloudservices   This will (mostly) return a 302 to the splunkbase url   HTTP/2 302 content-type: text/html; charset=utf-8 location: http://splunkbase.splunk.com/app/3110   neat. ... View more

Na, I'm not taking your comments as being defensive, in fact I welcome them. I want to know just as much as the others that peruse this forum. What I meant by bringing them together was more along the lines of still being able to configure things via the GUI even if those aspects remain on the master node. When I have the opportunity to do more testing I can certainly post specific examples and hopefully get the community to weigh in. Usually problems I encounter I'll try to work with support to resolve, I am paying for it after all.. but sometimes it make sense to present the question to the collective conscious. ... View more

this is very good news. ... View more

Thats good to know that apps that require additional licensing do in-fact work with search head clustering, but I would expect paid apps to work. However, in regards to the Splunk App for Unix and Linux, it states in its release notes that it does not support search head clustering. Splunk Mint App goes as far to say is 'kinda' supports search head clustering but doesn't really elaborate on what that means exactly. And I can attest that the CEF app, the Windows Infrastructure app (also mentioned in its release notes) and the Checkpoint LEA app all do not work properly with search head clustering in my experience. The issues I've encountered can vary from app to app but range from configurations, search artifacts, and customized outputs not replicating properly to indexers getting duplicated firewall events, different cluster members executing the same schedule reports and apps that have setup wizards never seem to share the fact they've been configured. I opened a case and worked with Splunk support for a few weeks trying to figure out why the CEF app would just stop working and was eventually told it just wasn't supported in a search head cluster. I've gone as far as configuring these apps on independent search heads, then pushing that configuration out the cluster to only be greeted with scheduling errors and splunkd crashes for scheduled reports related to the apps, or just the same kind of problems I was experiencing before. Don't get me wrong, I love Splunk. I've been with you guys since the beginning (well, close to it at least), but sometimes it seems like servers must grow on trees there at the Splunk HQ. In an environment where high availability and data redundancy is a must, search head clustering helps fill the gap between individually managed search head configurations with a large user base spread across an multi-datacenter environment. Just enabling search head clustering alone you have to relinquish the ability to even use the interface to perform simple tasks such as adding new users and roles. While I appreciate the new features that are introduced with each release, I think its high time you guys started to give some serious love to the clustering aspects and finally bring indexer and search head clustering together without having users sacrifice the simple UI based management tasks or forfeit some truly awesome apps in the name of resiliency. ... View more

i've basically found that no splunk supported app works with shclustering no matter how much effort you put into it. don't waste your time. ... View more

did you get an answer to this? i'm currently seeing the same error with the splunk for F5 networks app. ... View more