The problem seems to be with the regid.2001-12.com.splunk-Splunk-Enterprise.swidtag file and how it is handled during installation. In the postinst script of the deb package (extract with dpkg -e splunk-8.1...deb, then look at DEBIAN/postinst) there is a function called copy_swid_tag() that boils down to: SWID_SRC_DIR="$SPLUNK_HOME/etc"
SWID_DEST_DIR="/usr/share/regid.2001-12.com.splunk"
mkdir -p $SWID_DEST_DIR
cp "$SWID_SRC_DIR/regid.2001-12.com.splunk-Splunk-Enterprise.swidtag" $SWID_DEST_DIR Listing the contents of the latest 8.0 and 8.1 deb packages we see that the swidtag file that used to live in /opt/splunk/etc has been moved (and renamed) to /opt/splunk/swidtag $ dpkg -c splunk-8.1.0.1-24fd52428b5a-linux-2.6-amd64.deb | grep '\.swidtag'
-rw-r--r-- root/root 599 2020-11-17 18:28 ./opt/splunk/swidtag/splunk-Splunk-Enterprise-primary.swidtag
$ dpkg -c splunk-8.0.7-cbe73339abca-linux-2.6-amd64.deb | grep '\.swidtag'
-rw-r--r-- root/root 1116 2020-10-23 08:08 ./opt/splunk/etc/regid.2001-12.com.splunk-Splunk-Enterprise.swidtag The problem is that the swidtag file has been renamed, but the postinst script has not been updated to reflect that change. Not sure what the swidtag file does, and perhaps it doesn't matter, but to complete the installation as the postinst script intended, copy the file in place by hand $ sudo cp /opt/splunk/swidtag/splunk-Splunk-Enterprise-primary.swidtag /usr/share/regid.2001-12.com.splunk
$ sudo chown splunk:splunk /usr/share/regid.2001-12.com.splunk/splunk-Splunk-Enterprise-primary.swidtag BTW, this is all true for rpm packages as well $ rpm -ql -p splunk-8.1.0.1-24fd52428b5a-linux-2.6-x86_64.rpm | grep '\.swidtag'
/opt/splunk/swidtag/splunk-Splunk-Enterprise-primary.swidtag
$ rpm -q --scripts -p splunk-8.1.0.1-24fd52428b5a-linux-2.6-x86_64.rpm | less
... View more