Hi,

I decided to spin up my Splunk home environment again, and I'm running into an issue this time while installing my UF 9.0 on my Raspberry Pi. It's a Pi 4 B running Ubuntu 22.04.1 LTS on aarch64 architecture.

I followed install instructions according to the installing a UNIX forwarder page from Splunk,

and used the following bundle "splunkforwarder-9.0.0-6818ac46f2ec-Linux-armv8.tgz" .

After getting some normal permissions things out of the way, I started the forwarder, this time it's giving me the error:

Invalid key in stanza [webhook] in /opt/splunkforwarder/etc/system/default/alert_actions.conf, line 229: enable_allowlist (value: false).

Your indexes and inputs configurations are not internally consistent. For more information, run 'splunk btool check --debug'

so after running splunk btool check --debug | grep ' No spec' and 'Invalid' (these are all the errors types btool reported on) it returns the following after a clean install:

No spec file for: /opt/splunkforwarder/etc/apps/SplunkUniversalForwarder/default/app.conf
No spec file for: /opt/splunkforwarder/etc/apps/introspection_generator_addon/default/app.conf
No spec file for: /opt/splunkforwarder/etc/apps/search/default/app.conf
No spec file for: /opt/splunkforwarder/etc/apps/splunk_internal_metrics/default/app.conf
No spec file for: /opt/splunkforwarder/etc/manager-apps/_cluster/default/indexes.conf
No spec file for: /opt/splunkforwarder/etc/system/default/app.conf
No spec file for: /opt/splunkforwarder/etc/system/default/conf.conf
No spec file for: /opt/splunkforwarder/etc/system/default/federated.conf
No spec file for: /opt/splunkforwarder/etc/system/default/telemetry.conf

Invalid key in stanza [webhook] in /opt/splunkforwarder/etc/system/default/alert_actions.conf, line 229: enable_allowlist (value: false).

 I cannot really find answers on this topic. mostly related to other apps that people installed, but I only installed the universal forwarder, nothing else. I also am not sure what is the answer to the invalid key in the stanza for actions.conf and would like to know if there is a fix.

I also found the following error, and read  online that it's not impacting the functionality of Splunk, but is there a way to suppress them and how can I be sure that it's not an issue?

Warning: Attempting to revert the SPLUNK_HOME ownership
Warning: Executing "chown -R splunk /opt/splunkforward

my /opt/ permissions:

splunk@hostname:/opt/splunkforwarder$ ls -lia /opt
148855 drwxr-xr-x 10 splunk splunk 4096 Aug 12 15:47 splunkforwarder

Any help would be appreciated on this. I am trying to get the cleanest start possible, because on my last run I had a problem with the way my data was being ingested (the 'sourcetype too small' problem) and i wasn't able to fix it back then.

Kind regards