Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk on ARM Achitecture

tcha9078
Engager
‎07-31-2020 09:03 PM

Hi,

I am new to SPlunk and I have the following CPU Architecture running Debian Buster 10:

processor : 0
model name : ARMv7 Processor rev 10 (v7l)
BogoMIPS : 6.00
Features : half thumb fastmult vfp edsp neon vfpv3 tls vfpd32
CPU implementer : 0x41
CPU architecture: 7
CPU variant : 0x2
CPU part : 0xc09
CPU revision : 10

Can splunk enterprise will be able run on this system or do I have to use splunk forwarder only?

 

Labels (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

hsesterhenn_spl
Splunk Employee
Splunk Employee
‎11-14-2020 09:49 AM

Hi,

as mentioned before, only the UF is available for ARMv6 (no support).

Starting with V8.1 there is a fully supported ARMv8 UF available:

https://docs.splunk.com/Documentation/Splunk/latest/Installation/Systemrequirements

Try this as of November, 14th, 2020:

https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=ARM&platform=linux&version=8....

If you run on Raspberry Pi you might need to install an Ubuntu (or other ARMv8, 64bit) distro because the original Raspbian Linux (Buster) is based on ARMv7 (32 bit).

A full Splunk Enterprise installation is not supported/available currently but if it's for your home environment you might search for QEMU and Splunk Enterprise... 

Please mark one of the answers as valid.

Happy splunking,

Holger

 

View solution in original post

Tags (1)
0 Karma
Reply
Solved! Jump to solution

maat
Engager
‎07-12-2023 02:21 PM

For those using Linux on Arm, you can run Splunk on a x86 container using docker:

DOCKER_DEFAULT_PLATFORM=linux/amd64 docker run --privileged -d -p 8000:8000 -e "SPLUNK_START_ARGS=--accept-license" -e "SPLUNK_PASSWORD=<password>" --name splunk splunk/splunk:latest

 

0 Karma
Reply
Solved! Jump to solution

jmel0
Observer
Thursday

Thanks this was helpful, but it did not fully solve it for me. For anyone else that ends up here, the full solution was as follows:

Test environment: Ubuntu Server 24.04 ARM64  running in a VM on Macbook M3

Install docker

sudo apt install docker.io

sudo systemctl enable docker

sudo systemctl start docker

Pull Splunk Docker Image

Have to add --platform option to specify the pull should be done for amd64 architecture. 

sudo docker pull --platform=linux/amd64 splunk/splunk:latest

Install QEMU 

Need to install QEMU so docker can use emulation when running amd64 splunk on arm64 linux host. I took this from docker official documentation here: https://docs.docker.com/build/building/multi-platform/ in section about installing QEMU manually.

sudo docker run --privileged --rm tonistiigi/binfmt --install all

Run Splunk Docker Image

Adding --platform is not necessary here, but it avoids a warning

Even though it is not mentioned in the official Splunk documentation (https://help.splunk.com/en/splunk-enterprise/get-started/install-and-upgrade/9.3/install-splunk-ente...) I had to add

-e SPLUNK_GENERAL_TERMS=--accept-sgt-current-at-splunk-com

because I was getting an error when splunk was starting up. I found the error in the docker logs and it specifically said to add this. Maybe its a new requirement in latest version of splunk.

sudo docker run -d --platform=linux/amd64 -p 8000:8000 -e SPLUNK_GENERAL_TERMS=--accept-sgt-current-at-splunk-com -e SPLUNK_START_ARGS='--accept-license' -e SPLUNK_PASSWORD='<insert_password>' --name splunk-enterprise splunk/splunk:latest

Note: I initially added --privileged option to above command, but it caused an error in deployment of docker image which was related to app armour and the loaded unix_chkpwd profile which is specific to ubuntu 24.04. The issue was confirmed to be app armor related because running sudo aa-complain unix_chkpwd  command caused the error to just turn into a warning and then the docker container started correctly. For some reason, if you do not add --privileged  option then this issue is non-existent and so far splunk seems to be running fine.

 

0 Karma
Reply
Solved! Jump to solution
Solution

hsesterhenn_spl
Splunk Employee
Splunk Employee
‎11-14-2020 09:49 AM

Hi,

as mentioned before, only the UF is available for ARMv6 (no support).

Starting with V8.1 there is a fully supported ARMv8 UF available:

https://docs.splunk.com/Documentation/Splunk/latest/Installation/Systemrequirements

Try this as of November, 14th, 2020:

https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=ARM&platform=linux&version=8....

If you run on Raspberry Pi you might need to install an Ubuntu (or other ARMv8, 64bit) distro because the original Raspbian Linux (Buster) is based on ARMv7 (32 bit).

A full Splunk Enterprise installation is not supported/available currently but if it's for your home environment you might search for QEMU and Splunk Enterprise... 

Please mark one of the answers as valid.

Happy splunking,

Holger

 

Tags (1)
0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎08-02-2020 05:15 AM

Wait patiently and it may come 🙂

https://www.linkedin.com/feed/update/urn:li:activity:6691303981484011520/

@MuS 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎08-02-2020 06:55 AM

Especially after Apple has changed to ARM processors later on this year...

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎08-01-2020 01:50 AM

Hi

based on this https://docs.splunk.com/Documentation/Splunk/latest/Installation/Systemrequirements ARM is only supported as UF. 

r. Ismo

Reply
Solved! Jump to solution

rainmk
New Member
‎10-09-2025 11:02 AM

The ARM package is available however not publicly visible you have to request access to 
https://voc.splunk.com/preview/cmp-graviton-early-access

0 Karma
Reply
Get Updates on the Splunk Community!

What the End of Support for Splunk Add-on Builder Means for You

Hello Splunk Community! We want to share an important update regarding the future of the Splunk Add-on Builder ...

Solve, Learn, Repeat: New Puzzle Channel Now Live

Welcome to the Splunk Puzzle PlaygroundIf you are anything like me, you love to solve problems, and what ...

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...