$SPLUNK_HOME/bin/splunk enable boot-start -user $user will configure the Splunk service to run as $user.

As an alternative modify /opt/splunk/etc/splunk-launch.conf and set the OS user parameter in there to splunk
Or follow the steps in Configure Splunk Enterprise to start at boot time

Hi Rich, that did help and I was able to get to that folder. I will try to use the user splunk splunk:

I'm trying to follow the next steps and get it to contact my Splunk indexer.

I added the FW command
Step 5. firewall-cmd --zone=public --add-port=8089/tcp –permanent
Step 5. firewall-cmd --zone=public --add-port=9998/tcp –permanent
Step 6. firewall-cmd –reload

I use a splunk deploy app and

These "apps" are installed into /etc/apps (reverse the slashes if on windows, but still the same path). A properly configured forwarder will have the following apps installed:

use_splunkdeploy  (installs config required to talk to the deployment server)

I've edited my inputs.conf to add index. hostname was already there.
I've restarted splunk but I'm not getting any traffic or the fwd_to_cluster_ssl folder not being created. I'm checking FW logs and not even seeing the block. What should I check next?

Splunk Service is running,
input.conf updated
config files uploaded
Local FW ports opened

So now you're doing more than just starting Splunk.
You've opened port 9998 in your firewall. Is that the port you've configured on both the forwarder and indexer? Is the indexer set to receive data?
What is the fwd_to_cluster_ssl folder? It's not a Splunk folder so the forwarder will not create it.