$ wsl.exe --version
Version WSL : 2.5.7.0
Version du noyau : 6.6.87.1-1
Version WSLg : 1.0.66
Version MSRDC : 1.2.6074
Version direct3D : 1.611.1-81528511
Version de DXCore : 10.0.26100.1-240331-1435.ge-release
Version de Windows : 10.0.26100.4202
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 24.04.2 LTS
Release: 24.04
Codename: noble
$ python --version
Python 3.12.3
# https://docs.docker.com/engine/install/ubuntu/#install-using-the-repository
$ sudo install -m 0755 -d /etc/apt/keyrings
$ sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
$ sudo chmod a+r /etc/apt/keyrings/docker.asc
$ echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
$(. /etc/os-release && echo "${UBUNTU_CODENAME:-$VERSION_CODENAME}") stable" | \
sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
$ sudo apt update
$ sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
$ sudo groupadd docker
$ sudo usermod -aG docker $USER
$ newgrp docker
$ docker run hello-world
$ sudo apt install python3-pip python3-venv
$ mkdir -p ~/exp && cd ~/exp
$ python3 -m ven --prompt "Contentctl" .venv
$ source .venv/bin/activate
$ git clone https://github.com/2xyo/contentctl.git
$ cd contentctl
$ git remote add upstream https://github.com/splunk/contentctl.git
$ pip install --editable .
$ cd..
$ mkdir -p MyNewContentPack && cd MyNewContentPack
$ contentctl init \
--app.title "My New Content Pack Title" \
--app.description "My awesome desciption" \
--app.prefix "CP" \
--app.label "My New Content Pack label" \
--app.author-name "Yo" \
--app.author-email "Yo@localhost" \
--app.author-company "Personnel test"
$ ls -l
total 72
-rw-r--r-- 1 yo docker 428 Jun 4 22:06 README.md
drwxr-xr-x 7 yo docker 4096 Jun 4 21:59 app_template
drwxr-xr-x 2 yo docker 4096 Jun 4 22:06 baselines
-rw-r--r-- 1 yo docker 7268 Jun 4 22:06 contentctl.yml
drwxr-xr-x 2 yo docker 4096 Jun 4 22:06 dashboards
drwxr-xr-x 2 yo docker 4096 Jun 4 21:59 data_sources
drwxr-xr-x 2 yo docker 4096 Jun 4 21:59 deployments
drwxr-xr-x 7 yo docker 4096 Jun 4 21:59 detections
drwxr-xr-x 2 yo docker 4096 Jun 4 22:02 dist
drwxr-xr-x 2 yo docker 4096 Jun 4 22:06 docs
drwxr-xr-x 2 yo docker 4096 Jun 4 22:06 investigations
drwxr-xr-x 2 yo docker 4096 Jun 4 22:06 lookups
drwxr-xr-x 2 yo docker 4096 Jun 4 21:59 macros
drwxr-xr-x 2 yo docker 4096 Jun 4 22:06 playbooks
drwxr-xr-x 2 yo docker 4096 Jun 4 22:06 removed
drwxr-xr-x 2 yo docker 4096 Jun 4 22:06 reporting
drwxr-xr-x 2 yo docker 4096 Jun 4 21:59 stories
$ cat contentctl.yml
path: .
app:
uid: 92501
title: My New Content Pack Title
appid: ContentPack
version: 0.0.1
description: My awesome desciption
prefix: CP
label: My New Content Pack label
author_name: Yo
author_email: Yo@localhost
author_company: Personnel test
verbose: false
enforce_deprecation_mapping_requirement: false
enrichments: false
build_app: true
build_api: false
data_source_TA_validation: false
test_data_caches: []
build_path: dist
mode:
mode_name: All
post_test_behavior: pause_on_failure
enable_integration_testing: false
apps:
- uid: 1621
title: Splunk Common Information Model (CIM)
appid: Splunk_SA_CIM
version: 5.2.0
description: description of app
hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/splunk-common-information-model-cim_520.tgz
- uid: 6553
title: Splunk Add-on for Okta Identity Cloud
appid: Splunk_TA_okta_identity_cloud
version: 2.1.0
description: description of app
hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/splunk-add-on-for-okta-identity-cloud_210.tgz
- uid: 6176
title: Add-on for Linux Sysmon
appid: Splunk_TA_linux_sysmon
version: 1.0.4
description: description of app
hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/add-on-for-linux-sysmon_104.tgz
- uid: null
title: Splunk Fix XmlWinEventLog HEC Parsing
appid: Splunk_FIX_XMLWINEVENTLOG_HEC_PARSING
version: '0.1'
description: This TA is required for replaying Windows Data into the Test Environment.
The Default TA does not include logic for properly splitting multiple log events
in a single file. In production environments, this logic is applied by the Universal
Forwarder.
hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/Splunk_TA_fix_windows.tgz
- uid: 742
title: Splunk Add-on for Microsoft Windows
appid: SPLUNK_ADD_ON_FOR_MICROSOFT_WINDOWS
version: 8.8.0
description: description of app
hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/splunk-add-on-for-microsoft-windows_880.tgz
- uid: 5709
title: Splunk Add-on for Sysmon
appid: Splunk_TA_microsoft_sysmon
version: 4.0.0
description: description of app
hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/splunk-add-on-for-sysmon_400.tgz
- uid: 833
title: Splunk Add-on for Unix and Linux
appid: Splunk_TA_nix
version: 9.0.0
description: description of app
hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/splunk-add-on-for-unix-and-linux_900.tgz
- uid: 5579
title: Splunk Add-on for CrowdStrike FDR
appid: Splunk_TA_CrowdStrike_FDR
version: 1.5.0
description: description of app
hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/splunk-add-on-for-crowdstrike-fdr_150.tgz
- uid: 3185
title: Splunk Add-on for Microsoft IIS
appid: SPLUNK_TA_FOR_IIS
version: 1.3.0
description: description of app
hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/splunk-add-on-for-microsoft-iis_130.tgz
- uid: 4242
title: TA for Suricata
appid: SPLUNK_TA_FOR_SURICATA
version: 2.3.4
description: description of app
hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/ta-for-suricata_234.tgz
- uid: 5466
title: TA for Zeek
appid: SPLUNK_TA_FOR_ZEEK
version: 1.0.6
description: description of app
hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/ta-for-zeek_106.tgz
- uid: 3258
title: Splunk Add-on for NGINX
appid: SPLUNK_ADD_ON_FOR_NGINX
version: 3.2.2
description: description of app
hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/splunk-add-on-for-nginx_322.tgz
- uid: 5238
title: Splunk Add-on for Stream Forwarders
appid: SPLUNK_ADD_ON_FOR_STREAM_FORWARDERS
version: 8.1.1
description: description of app
hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/splunk-add-on-for-stream-forwarders_811.tgz
- uid: 5234
title: Splunk Add-on for Stream Wire Data
appid: SPLUNK_ADD_ON_FOR_STREAM_WIRE_DATA
version: 8.1.1
description: description of app
hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/splunk-add-on-for-stream-wire-data_811.tgz
- uid: 2757
title: Palo Alto Networks Add-on for Splunk
appid: PALO_ALTO_NETWORKS_ADD_ON_FOR_SPLUNK
version: 8.1.1
description: description of app
hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/palo-alto-networks-add-on-for-splunk_811.tgz
- uid: 3865
title: Zscaler Technical Add-On for Splunk
appid: Zscaler_CIM
version: 4.0.3
description: description of app
hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/zscaler-technical-add-on-for-splunk_403.tgz
- uid: 3719
title: Splunk Add-on for Amazon Kinesis Firehose
appid: SPLUNK_ADD_ON_FOR_AMAZON_KINESIS_FIREHOSE
version: 1.3.2
description: description of app
hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/splunk-add-on-for-amazon-kinesis-firehose_132.tgz
- uid: 1876
title: Splunk Add-on for AWS
appid: Splunk_TA_aws
version: 7.5.0
description: description of app
hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/splunk-add-on-for-amazon-web-services-aws_750.tgz
- uid: 3088
title: Splunk Add-on for Google Cloud Platform
appid: SPLUNK_ADD_ON_FOR_GOOGLE_CLOUD_PLATFORM
version: 4.4.0
description: description of app
hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/splunk-add-on-for-google-cloud-platform_440.tgz
- uid: 5556
title: Splunk Add-on for Google Workspace
appid: SPLUNK_ADD_ON_FOR_GOOGLE_WORKSPACE
version: 2.6.3
description: description of app
hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/splunk-add-on-for-google-workspace_263.tgz
- uid: 3110
title: Splunk Add-on for Microsoft Cloud Services
appid: SPLUNK_TA_MICROSOFT_CLOUD_SERVICES
version: 5.2.2
description: description of app
hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/splunk-add-on-for-microsoft-cloud-services_522.tgz
- uid: 4055
title: Splunk Add-on for Microsoft Office 365
appid: SPLUNK_ADD_ON_FOR_MICROSOFT_OFFICE_365
version: 4.5.1
description: description of app
hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/splunk-add-on-for-microsoft-office-365_451.tgz
- uid: 2890
title: Splunk Machine Learning Toolkit
appid: SPLUNK_MACHINE_LEARNING_TOOLKIT
version: 5.4.1
description: description of app
hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/splunk-machine-learning-toolkit_541.tgz
- uid: 2734
title: URL Toolbox
appid: URL_TOOLBOX
version: 1.9.2
description: description of app
hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/url-toolbox_192.tgz
container_settings:
leave_running: true
num_containers: 1
full_image_path: registry.hub.docker.com/splunk/splunk:9.3
$ ls -l detections/endpoint/
total 4
-rw-r--r-- 1 yo docker 3865 Jun 4 21:59 anomalous_usage_of_7zip.yml
$ contentctl validate
DEPLOYMENT Progress: [100%]... ✓ Done!
LOOKUP Progress: [ 0%]... ✓ Done!
MACRO Progress: [100%]... ✓ Done!
STORY Progress: [100%]... ✓ Done!
BASELINE Progress: [ 0%]... ✓ Done!
DATASOURCE Progress: [100%]... ✓ Done!
PLAYBOOK Progress: [ 0%]... ✓ Done!
DETECTION Progress: [100%]... ✓ Done!
DASHBOARD Progress: [ 0%]... ✓ Done!
REMOVEDSECURITYCONTENTOBJECT Progress: [ 0%]... ✓ Done!
$ contentctl test
/home/yo/exp/PyCVESearch/pycvesearch/core.py:4: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
import pkg_resources
DEPLOYMENT Progress: [100%]... ✓ Done!
LOOKUP Progress: [ 0%]... ✓ Done!
MACRO Progress: [100%]... ✓ Done!
STORY Progress: [100%]... ✓ Done!
BASELINE Progress: [ 0%]... ✓ Done!
DATASOURCE Progress: [100%]... ✓ Done!
PLAYBOOK Progress: [ 0%]... ✓ Done!
DETECTION Progress: [100%]... ✓ Done!
DASHBOARD Progress: [ 0%]... ✓ Done!
REMOVEDSECURITYCONTENTOBJECT Progress: [ 0%]... ✓ Done!
Build of 'My New Content Pack Title' APP successful to dist/ContentPack-latest.tar.gz
MODE: [All] - Test [1] detections
Getting the latest version of the container image [registry.hub.docker.com/splunk/splunk:9.3]...done!
Downloading splunk-common-information-model-cim_520.tgz 100%[████████████████████][PREVIOUSLY CACHED]
Downloading splunk-add-on-for-okta-identity-cloud_210.tgz 100%[████████████████████][PREVIOUSLY CACHED]
Downloading add-on-for-linux-sysmon_104.tgz 100%[████████████████████][PREVIOUSLY CACHED]
Downloading Splunk_TA_fix_windows.tgz 100%[████████████████████][PREVIOUSLY CACHED]
Downloading splunk-add-on-for-microsoft-windows_880.tgz 100%[████████████████████][PREVIOUSLY CACHED]
Downloading splunk-add-on-for-sysmon_400.tgz 100%[████████████████████][PREVIOUSLY CACHED]
Downloading splunk-add-on-for-unix-and-linux_900.tgz 100%[████████████████████][PREVIOUSLY CACHED]
Downloading splunk-add-on-for-crowdstrike-fdr_150.tgz 100%[████████████████████][PREVIOUSLY CACHED]
Downloading splunk-add-on-for-microsoft-iis_130.tgz 100%[████████████████████][PREVIOUSLY CACHED]
Downloading ta-for-suricata_234.tgz 100%[████████████████████][PREVIOUSLY CACHED]
Downloading ta-for-zeek_106.tgz 100%[████████████████████][PREVIOUSLY CACHED]
Downloading splunk-add-on-for-nginx_322.tgz 100%[████████████████████][PREVIOUSLY CACHED]
Downloading splunk-add-on-for-stream-forwarders_811.tgz 100%[████████████████████][99.8M/99.8M | ETA: 00:00]
Downloading splunk-add-on-for-stream-wire-data_811.tgz 100%[████████████████████][PREVIOUSLY CACHED]
Downloading palo-alto-networks-add-on-for-splunk_811.tgz 100%[████████████████████][PREVIOUSLY CACHED]
Downloading zscaler-technical-add-on-for-splunk_403.tgz 100%[████████████████████][PREVIOUSLY CACHED]
Downloading splunk-add-on-for-amazon-kinesis-firehose_132.tgz 100%[████████████████████][PREVIOUSLY CACHED]
Downloading splunk-add-on-for-amazon-web-services-aws_750.tgz 100%[████████████████████][PREVIOUSLY CACHED]
Downloading splunk-add-on-for-google-cloud-platform_440.tgz 100%[████████████████████][PREVIOUSLY CACHED]
Downloading splunk-add-on-for-google-workspace_263.tgz 100%[████████████████████][PREVIOUSLY CACHED]
Downloading splunk-add-on-for-microsoft-cloud-services_522.tgz 100%[████████████████████][PREVIOUSLY CACHED]
Downloading splunk-add-on-for-microsoft-office-365_451.tgz 100%[████████████████████][PREVIOUSLY CACHED]
Downloading splunk-machine-learning-toolkit_541.tgz 100%[████████████████████][PREVIOUSLY CACHED]
Downloading url-toolbox_192.tgz 100%[████████████████████][PREVIOUSLY CACHED]
Copying [dist/ContentPack-0.0.1.tar.gz] to [/home/yo/exp/contentctl/MyNewContentPack/apps/ContentPack-0.0.1.tar.gz]...Done
Bottle v0.13.3 server starting up (using SimpleWebServer())...
Listening on http://0.0.0.0:7999/
Hit Ctrl-C to quit.
Completed 0/1 0.00%[ ] | Elapsed: Unknown Time | Remaining: Unknown ETA
Started container with the following information: >> Starting | Time: 0:00:00
name : [contentctl_0]
address : [http://localhost:8000]
username: [admin]
password: [password]
gio: http://0.0.0.0:7999: Operation not supported
[SETUP] contentctl_0 >> Finished Setup! | Time: 0:05:06
[UNIT ] Anomalous usage of 7zip:True Positive Test >> PASS | Time: 0:00:05
[INTEG] Anomalous usage of 7zip:True Positive Test >> SKIP | Time: 0:00:00
[GROUP] Anomalous usage of 7zip:True Positive Test >> Test Group Done | Time: 0:00:24
Completed 0/1 0.00%[ ] | Elapsed: 0:00:23 | Remaining: Unknown ETA
Container [contentctl_0] has NOT been terminated because 'contentctl_test.yml ---> infrastructure_config ---> persist_and_reuse_container = True'
To remove it, please manually run the following at the command line: `docker container rm -fv contentctl_0`
Finished running tests on instance: [contentctl_0]
Completed 0/1 0.00%[ ] | Elapsed: 0:00:23 | Remaining: Unknown ETA
Test Summary (mode: All)
Success : True
Success Rate : 100.0%
Total Detections : 1
Total Tested Detections : 1
Passed Detections : 1
Failed Detections : 0
Skipped Detections : 0
Production Status :
Production Detections : 1
Experimental Detections : 0
Deprecated Detections : 0
Manually Tested Detections : 0
Untested Detections : 0
Test Results File : test_results/summary.yml
NOTE: skipped detections include non-production, manually tested, and certain
detection types (e.g. Correlation), but there may be overlap between these
categories.
All tests have run successfully or been marked as 'skipped'
$ contentctl test
DEPLOYMENT Progress: [100%]... ✓ Done!
LOOKUP Progress: [ 0%]... ✓ Done!
MACRO Progress: [100%]... ✓ Done!
STORY Progress: [100%]... ✓ Done!
BASELINE Progress: [ 0%]... ✓ Done!
DATASOURCE Progress: [100%]... ✓ Done!
PLAYBOOK Progress: [ 0%]... ✓ Done!
DETECTION Progress: [100%]... ✓ Done!
DASHBOARD Progress: [ 0%]... ✓ Done!
REMOVEDSECURITYCONTENTOBJECT Progress: [ 0%]... ✓ Done!
Build of 'My New Content Pack Title' APP successful to dist/ContentPack-latest.tar.gz
MODE: [All] - Test [1] detections
Getting the latest version of the container image [registry.hub.docker.com/splunk/splunk:9.3]...done!
Downloading splunk-common-information-model-cim_520.tgz 100%[████████████████████][PREVIOUSLY CACHED]
Downloading splunk-add-on-for-okta-identity-cloud_210.tgz 100%[████████████████████][PREVIOUSLY CACHED]
Downloading add-on-for-linux-sysmon_104.tgz 100%[████████████████████][PREVIOUSLY CACHED]
Downloading Splunk_TA_fix_windows.tgz 100%[████████████████████][PREVIOUSLY CACHED]
Downloading splunk-add-on-for-microsoft-windows_880.tgz 100%[████████████████████][PREVIOUSLY CACHED]
Downloading splunk-add-on-for-sysmon_400.tgz 100%[████████████████████][PREVIOUSLY CACHED]
Downloading splunk-add-on-for-unix-and-linux_900.tgz 100%[████████████████████][PREVIOUSLY CACHED]
Downloading splunk-add-on-for-crowdstrike-fdr_150.tgz 100%[████████████████████][PREVIOUSLY CACHED]
Downloading splunk-add-on-for-microsoft-iis_130.tgz 100%[████████████████████][PREVIOUSLY CACHED]
Downloading ta-for-suricata_234.tgz 100%[████████████████████][PREVIOUSLY CACHED]
Downloading ta-for-zeek_106.tgz 100%[████████████████████][PREVIOUSLY CACHED]
Downloading splunk-add-on-for-nginx_322.tgz 100%[████████████████████][PREVIOUSLY CACHED]
Downloading splunk-add-on-for-stream-forwarders_811.tgz 100%[████████████████████][PREVIOUSLY CACHED]
Downloading splunk-add-on-for-stream-wire-data_811.tgz 100%[████████████████████][PREVIOUSLY CACHED]
Downloading palo-alto-networks-add-on-for-splunk_811.tgz 100%[████████████████████][PREVIOUSLY CACHED]
Downloading zscaler-technical-add-on-for-splunk_403.tgz 100%[████████████████████][PREVIOUSLY CACHED]
Downloading splunk-add-on-for-amazon-kinesis-firehose_132.tgz 100%[████████████████████][PREVIOUSLY CACHED]
Downloading splunk-add-on-for-amazon-web-services-aws_750.tgz 100%[████████████████████][PREVIOUSLY CACHED]
Downloading splunk-add-on-for-google-cloud-platform_440.tgz 100%[████████████████████][PREVIOUSLY CACHED]
Downloading splunk-add-on-for-google-workspace_263.tgz 100%[████████████████████][PREVIOUSLY CACHED]
Downloading splunk-add-on-for-microsoft-cloud-services_522.tgz 100%[████████████████████][PREVIOUSLY CACHED]
Downloading splunk-add-on-for-microsoft-office-365_451.tgz 100%[████████████████████][PREVIOUSLY CACHED]
Downloading splunk-machine-learning-toolkit_541.tgz 100%[████████████████████][PREVIOUSLY CACHED]
Downloading url-toolbox_192.tgz 100%[████████████████████][PREVIOUSLY CACHED]
Copying [dist/ContentPack-0.0.1.tar.gz] to [/home/yo/exp/contentctl/MyNewContentPack/apps/ContentPack-0.0.1.tar.gz]...Done
Bottle v0.13.3 server starting up (using SimpleWebServer())...
Listening on http://0.0.0.0:7999/
Hit Ctrl-C to quit.
Finished running tests on instance: [contentctl_0] ] | Elapsed: Unknown Time | Remaining: Unknown ETA
Completed 0/1 0.00%[ ] | Elapsed: Unknown Time | Remaining: Unknown ETA
gio: http://0.0.0.0:7999: Operation not supported
[INSTANCE SETUP ERRORS]:
❌ [contentctl_0]: Testing stopped for contentctl_0
Test Summary (mode: All)
Success : False
Success Rate : UKNOWN
Total Detections : 1
Total Tested Detections : 0
Passed Detections : 0
Failed Detections : 0
Skipped Detections : 0
Production Status :
Production Detections : 0
Experimental Detections : 0
Deprecated Detections : 0
Manually Tested Detections : 0
Untested Detections : 1
Test Results File : test_results/summary.yml
NOTE: skipped detections include non-production, manually tested, and certain
detection types (e.g. Correlation), but there may be overlap between these
categories.
Verbose error logging is DISABLED.
Please use the --verbose command line argument if you need more context for your error or file a bug report.
There was at least one unsuccessful test
$ docker ps -a
$ docker logs contentctl_0
[...]
TASK [splunk_standalone : Infer app filepath] **********************************
ok: [localhost]
Wednesday 04 June 2025 20:30:01 +0000 (0:00:00.043) 0:01:14.159 ********
TASK [splunk_standalone : Check app contents] **********************************
fatal: [localhost]: FAILED! => {
"changed": false,
"cmd": "set -o pipefail && tar --exclude='*/*/*' --exclude='*.*' -tf /tmp/apps/splunk-add-on-for-stream-forwarders_811.tgz | awk -F'/' '{ print$1 }' | uniq",
"delta": "0:00:01.255073",
"end": "2025-06-04 20:30:02.866646",
"rc": 2,
"start": "2025-06-04 20:30:01.611573"
}
STDOUT:
Splunk_TA_stream
STDERR:
gzip: stdin: unexpected end of file
tar: Unexpected EOF in archive
tar: Error is not recoverable: exiting now
MSG:
non-zero return code
PLAY RECAP *********************************************************************
localhost : ok=154 changed=22 unreachable=0 failed=1 skipped=114 rescued=0 ignored=0
Wednesday 04 June 2025 20:30:02 +0000 (0:00:01.553) 0:01:15.712 ********
===============================================================================
splunk_common : Start Splunk via CLI ----------------------------------- 19.03s
splunk_standalone : Install app via REST -------------------------------- 8.01s
splunk_common : Update /opt/splunk/etc ---------------------------------- 3.14s
splunk_standalone : Install app via REST -------------------------------- 2.68s
splunk_common : Update Splunk directory owner --------------------------- 1.98s
splunk_common : Get Splunk status --------------------------------------- 1.58s
splunk_standalone : Install app via REST -------------------------------- 1.56s
splunk_standalone : Check app contents ---------------------------------- 1.55s
splunk_standalone : Install app via REST -------------------------------- 1.36s
Gathering Facts --------------------------------------------------------- 1.11s
splunk_standalone : Install app via REST -------------------------------- 0.97s
splunk_standalone : Install app via REST -------------------------------- 0.96s
splunk_common : Check if requests_unixsocket exists --------------------- 0.96s
splunk_standalone : Install app via REST -------------------------------- 0.89s
splunk_standalone : Install app via REST -------------------------------- 0.88s
splunk_standalone : Install app via REST -------------------------------- 0.84s
splunk_common : Generate user-seed.conf (Linux) ------------------------- 0.71s
splunk_common : Test basic https endpoint ------------------------------- 0.69s
splunk_standalone : Check app contents ---------------------------------- 0.68s
splunk_standalone : Get existing HEC token ------------------------------ 0.67s
Fix
$ rm apps/splunk-add-on-for-stream-forwarders_811.tgz
$ docker rm content <container ID>
# WARNING : Delete ALL VOLUMES (VM dedicated to this usage)
$ docker volume prune -a -f
restart the test