The splunk libraries for Mac have all been compiled with the wrong install names. When a library is compiled, the path to where that library will ultimately be found is coded into the library itself. So when a binary is compiled and links to that library it records where the library can be found at runtime from that setting. Each library has it's install name set when it's compiled and is usually set to where the library is compile to, in this case /Users/eserv/wrangler-2.0/build-home/ember/lib, but that's not where it ultimately ends up which is in /Applications/splunkforwarder/lib. So this new path needs to be explicitly set at compile time which is not done and so the binary ends up looking for the library in the wrong place. The reason why this works on 10.10 and below is that the splunkd process is launched by the splunk tool and the splunk tool first sets an environment variable (DYLD_LIBRARY_PATH) which tells the dynamic linker "hey look in this alternative location for any libraries". This environment variable get passed down to the splunkd subprocess when it's launched and so is able to find its libraries in that alternative location, namely "/Applications/splunkforwarder/lib". In 10.11 the ability for DYLD environment variable to be passed to subprocesses was blocked with the introduction of SIP (System Integrity Protection). So the splunkd process has only one place to look for those libraries "/Users/eserv/wrangler-2.0/build-home/ember/lib" which of course doesn't exist and the whole process crashes at that point. So splunk really just needs a recompile with the libraries having their correct install names.
... View more