- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey all - I successfully installed a forwarder on my RPI a while back but can't seem to be able to do it again. After unpacking splunkforwarder-9.0.3-dd0128b1f8cd-Linux-armv8.tgz into /opt/, I can't run the splunk binary. I have also tried the 64bit and s390x, just cuz. I've google extensively and had not luck with some solutions such as creating a symbolic link to a certain file, but the file already exists in the system. I realize this file name says armv8 and armv8 "introduces the 64-bit instruction set", but the downloads page doesn't have armv7. Anyway....
sudo /opt/splunkforwarder/bin/splunk start --accept-license
/opt/splunkforwarder/bin/splunk: 1: Syntax error: "(" unexpected
uname -a
Linux zeek-pi 5.15.61-v7l+ #1579 SMP Fri Aug 26 11:13:03 BST 2022 armv7l GNU/Linux
uname -r
5.15.61-v7l+
Any suggestions on how to fix this? Thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your uname shows thay you are running armv7 kernel. Either because your hardware doesn't support a newer architecture or you're running a wrong kernel for your platform.
If your Raspberry Pi is indeed the one with a 32-bit processor, you're limited to armv7 UF releases and there's nothing you can do about it. You can't run armv8 binaries on an armv7 hardware or armv7 kernel.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your uname shows thay you are running armv7 kernel. Either because your hardware doesn't support a newer architecture or you're running a wrong kernel for your platform.
If your Raspberry Pi is indeed the one with a 32-bit processor, you're limited to armv7 UF releases and there's nothing you can do about it. You can't run armv8 binaries on an armv7 hardware or armv7 kernel.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Installing Forwarder 8.1.9 for Linux seems to have done the trick...I don't like being on an old version though, is this still supported? And is it the only method for installation on RPI?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @dragde0991,
in this page (https://www.splunk.com/en_us/blog/industries/how-to-splunk-data-from-a-raspberry-pi-three-easy-steps...) there's a description about installation of Splunk Universal Forwarder on RPI but it's an old one (6.x).
And in this page there are some steps to do before installation: https://ethicalhackingguru.com/put-splunk-universal-forwarder-on-raspberry-pi/ using ARM, also this page is old (2018), but probably the pre installation steps are correct.
In another page is hinted to use ARM for installation.
I didn't find newer pages.
What's the kernel of your RPI?
If you have a Splunk License I hint to open a case to Splunk Support.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the reply and the resources! The kernel is 5.15. Like I mentioned in my reply to myself above, I was able to find an older version of the forwarder and then install was a breeze. I also found out there's a 64bit (armv8) raspbian so I am going to try and install that OS and see if I have any luck with the newer version of the forwarder.
