Finally figured this one out thanks to a similar issue someone had 8 years ago lol. you will need to bypass the first-time run script by doing a few things. 1. rm -rf $splunkforwarder_home/ftr 2. cp $splunkforwarder_home/etc/auth/cacert.pem.default $splunkforwarder_home/etc/auth/cacert.pem 3. cp $splunkforwarder_home/etc/auth/ca.pem.default $splunkforwarder_home/etc/auth/ca.pem 4. cp $splunkforwarder_home/etc/myinstall/splunkd.xml.cfg-default $splunkforwarder_home/etc/myinstall/splunkd.xml 5. create a user-seed.conf file for the default admin user. 6. $splunkforwarder_home/bin/splunk start This should start the UF then just proceed to stop, enable boot-start, and finally start the UF service for the final time.
... View more