Getting Data In

Is there any way in which we can download the apps from splunk base without having to manually download the tar file?



We are planning to automate the Splunk application installation and configuration process for quicker provisioning.

In this scenario, our first step is to install the splunk app from CLI, for which we use this command:

./splunk install app

However it gives an error saying:

Error during app install: failed to extract app from /opt/splunk/var/run/87b95d9a426d8ebd.tar.gz to /opt/splunk/var/run/splunk/bundle_tmp/91801e5fc0eab8b4: No such file or directory

Is there any way in which we can download the apps from splunkbase without having to manually download the tar file.


Building on @mabrafoo's answer, I wrote a standalone script to do this. It allows you to authenticate to Splunkbase and download an app without the need for a separate web browser. Once you have the app.tgz, you can use the standard ./splunk install app <filename> syntax.

0 Karma

Loves-to-Learn Lots



I tried the script and got this:

0Warning: Remote filename has no length!


curl: (23) Failed writing body (0 != 16195)

I also tried forcing the specific URL of an app and got the same result.

Any ideas?

Thank you.

0 Karma


Hi @Luis_Torres,

First, are you specifying the sid and SSOID arguments (example values show below) when running download? You'll get an error message just like this if you don't specify them, if the values are incorrect, or if the session they refer to is expired. All Splunkbase downloads are authenticated, so it's mandatory to supply these. The sid value is case-sensitive alphanumeric, so it can be easy to mistake "0" "o" and "O", for example. The SSOID value should be all hexadecimal (0-9, a-f).


It's also worth double-checking that you actually have permissions to write to the directory where you're saving to. By default, the script will write to your current directory.

If none of that works, can you let me know if this is happening for all apps, or only a single app? If the latter, can you let me know the App ID and App Version you're trying to download?


0 Karma


Seeing these posts being so recent, I was hoping to get this to work. I like this better than the curlfire suggestion as this is possible to completely automate the downloads. So if possible I would like to get this working.

@tfrederick74656 I would like to help if there is still a chance of getting it to work.

0 Karma

New Member

I tried this and had problems.

I experienced the same issue of remote filename has no length.
Where did you find the documentation for the okta/auth endpoint?

When I plugged in the sessionid from my browser and added the cookie 'splunkbase_cookied_policy_accepted=true'
it then worked.

But the sid and SSOID combination with the additional cookie would not work.

Also the script needed if  [ "$1" == "1" ] on line 53 to work correctly.

0 Karma


Here is one way to do it. Use at your own risk.

curlfire will access the firefox cookies so that we can avoid the "please log in to download" message that curl would get.

For this example the app is the splunk add-on for Unix and Linux. The url says it is app 833. These instructions assume we know that the app id number is 833.

After running this command
username@computername:~/Downloads/splunk/curlfire-master$ ./curlfire "" | grep 833 | grep download | grep release

The output is

Now we know the Download URL for the latest version is

Download the file using curlfire (see notes for curlfire chanages to make it work better below)
username@computername:~/Downloads/splunk/curlfire-master$ ./curlfire ""

curl: Saved to filename 'splunk-add-on-for-unix-and-linux_600.tgz'

In order to get the download to work properly, 3 flags were changed when curl was run in the curlfire bash file.

curl -b "$curlcookies" "${args[@]}" ;
curl -O -J -L -b "$curlcookies" "${args[@]}" ;

option -O Write output to a local file name like the remote file
option -J Tell the -O option to use the filename found in the http header
option -L Follow redirects

Also, after looking at a random script that I downloaded from github I usually will change this.


to this.

!/bin/bash -x

in order to display all of the bash scripts commands and their expanded arguments.

And obviously don't forget to change your curl user agent to something common like "I ❤️ splunk."


In order to download Apps from Splunkbase you need to be signed on to Splunkbase. Are you doing anything to sign on?

Personally, I wouldn't recommend automatically installing things that are downloaded fresh off the internet. How do you know it doesn't break your environment?
I'd keep a local repository of known good / fixed versions and install automatically from there.

Get Updates on the Splunk Community!

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...

Platform Highlights | January 2023 Newsletter

 January 2023Peace on Earth and Peace of Mind With Business ResilienceAll organizations can start the new year ...