Solved: Splunk Forwarder RPI won't run binary?

dragde0991 · ‎01-14-2023

Hey all - I successfully installed a forwarder on my RPI a while back but can't seem to be able to do it again. After unpacking splunkforwarder-9.0.3-dd0128b1f8cd-Linux-armv8.tgz into /opt/, I can't run the splunk binary. I have also tried the 64bit and s390x, just cuz. I've google extensively and had not luck with some solutions such as creating a symbolic link to a certain file, but the file already exists in the system. I realize this file name says armv8 and armv8 "introduces the 64-bit instruction set", but the downloads page doesn't have armv7. Anyway....

sudo /opt/splunkforwarder/bin/splunk start --accept-license
/opt/splunkforwarder/bin/splunk: 1: Syntax error: "(" unexpected

uname -a
Linux zeek-pi 5.15.61-v7l+ #1579 SMP Fri Aug 26 11:13:03 BST 2022 armv7l GNU/Linux

uname -r
5.15.61-v7l+

Any suggestions on how to fix this? Thank you!

PickleRick · ‎01-15-2023

Your uname shows thay you are running armv7 kernel. Either because your hardware doesn't support a newer architecture or you're running a wrong kernel for your platform.

If your Raspberry Pi is indeed the one with a 32-bit processor, you're limited to armv7 UF releases and there's nothing you can do about it. You can't run armv8 binaries on an armv7 hardware or armv7 kernel.

View solution in original post

PickleRick · ‎01-15-2023

Your uname shows thay you are running armv7 kernel. Either because your hardware doesn't support a newer architecture or you're running a wrong kernel for your platform.

If your Raspberry Pi is indeed the one with a 32-bit processor, you're limited to armv7 UF releases and there's nothing you can do about it. You can't run armv8 binaries on an armv7 hardware or armv7 kernel.

dragde0991 · ‎01-14-2023

Installing Forwarder 8.1.9 for Linux seems to have done the trick...I don't like being on an old version though, is this still supported? And is it the only method for installation on RPI?

gcusello · ‎01-14-2023

Hi @dragde0991,

in this page (https://www.splunk.com/en_us/blog/industries/how-to-splunk-data-from-a-raspberry-pi-three-easy-steps...) there's a description about installation of Splunk Universal Forwarder on RPI but it's an old one (6.x).

And in this page there are some steps to do before installation: https://ethicalhackingguru.com/put-splunk-universal-forwarder-on-raspberry-pi/ using ARM, also this page is old (2018), but probably the pre installation steps are correct.

In another page is hinted to use ARM for installation.

I didn't find newer pages.

What's the kernel of your RPI?

If you have a Splunk License I hint to open a case to Splunk Support.

Ciao.

Giuseppe

dragde0991 · ‎01-15-2023

Thanks for the reply and the resources! The kernel is 5.15. Like I mentioned in my reply to myself above, I was able to find an older version of the forwarder and then install was a breeze. I also found out there's a 64bit (armv8) raspbian so I am going to try and install that OS and see if I have any luck with the newer version of the forwarder.

Splunk Forwarder RPI won't run binary?

installation

troubleshooting

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms