Splunk – universal forwarder on Raspberry Pi 3 and Splunk enterprise on Labtop

A little post to explain how i succeed to deploy a splunk forwarder on a raspberry pi 3

First install the client splunk enterprise on your labptop
Then configure it to accept receiving data on port 9997
In the upper right, click the dropdown for “Settings”. Under Data, click Forwarding and receiving, and you will be taken to the configuration page where you can set Splunk to listen for data from your Pi.

Click “configure receiving”, and you will be taken to the receive data configuration page. Assuming this is a brand new installation of Splunk, you will have no configurations. Click “New” and you will be taken to the new configuration wizard. For now, we will just add a new listener at port 9997, and click Save.

Then install the universal forwarder on your RPI :

Download the Universal Forwarder from http://apps.Splunk.com/app/1611 to your Pi

You’ll find some help on http://docs.splunk.com/Documentation/Splunk/6.0/Forwarding/Deployanixdfmanually

but it ‘s not necessary

just download the .tar file and use : tar -xvf …. to unzip it

One important thing to know when installing the Universal Forwarder on *nix, is that the default install does NOT autorun on boot.
You can set it to autostart running the following as root:
$SPLUNK_HOME/bin/Splunk enable boot-start

To start Splunk on your forwarder, navigate to $SPLUNK_HOME /bin/ and run ./splunk start. You’ll see the standard output for startup.
At the next prompt, run ./splunk version, and you should see the version output for ARM Linux.

Congratulations, the Splunk Universal Forwarder is running on your Raspberry Pi!

Now, create a script which will be played by splunk to extract data :

edit file : $SPLUNK_HOME/bin/scripts

#! /bin/sh
for c in $(seq 1 60)
TIME=$(date +"%D %T.%3N %Z")
TEMP=$(vcgencmd measure_temp)
VOLTS=$(vcgencmd measure_volts)
CPU_TEMP=`echo $TEMP | cut -d \' -f 1`
VOLTS=`echo $VOLTS | cut -d V -f 1`
echo "time=$TIME|$VOLTS|$CPU_TEMP"
sleep 1

Then edit :

host = raspberrypi
index = main
interval = 60
source = cpu_details
sourcetype = pi_system_scripts

Then edit :

# Version 6.0

Where XX… is the IP of your labtop

BE CAREFUL to accept on your labtop firewall (Windows) the port 9997
if you don’t you will have in the log file on the rpi in $SPLUNK_HOME/var/log/splunk/splund.log
the error :

connection to ip=ip.address:9997 timed out

When it done just start splunk on the RPI :
$SPLUNK_HOME/bin/splunk start

and you ll receive data on the search screen of the plunk enterprise client installed on your labtop :

CONGRATULATION !! and have fun


devops.pm father

More Posts - Website

Follow Me: