A little post to explain how i succeed to deploy a splunk forwarder on a raspberry pi 3
First install the client splunk enterprise on your labptop
Then configure it to accept receiving data on port 9997
In the upper right, click the dropdown for “Settings”. Under Data, click Forwarding and receiving, and you will be taken to the configuration page where you can set Splunk to listen for data from your Pi.
Click “configure receiving”, and you will be taken to the receive data configuration page. Assuming this is a brand new installation of Splunk, you will have no configurations. Click “New” and you will be taken to the new configuration wizard. For now, we will just add a new listener at port 9997, and click Save.
Then install the universal forwarder on your RPI :
Download the Universal Forwarder from http://apps.Splunk.com/app/1611 to your Pi
You’ll find some help on http://docs.splunk.com/Documentation/Splunk/6.0/Forwarding/Deployanixdfmanually
but it ‘s not necessary
just download the .tar file and use :
tar -xvf …. to unzip it
One important thing to know when installing the Universal Forwarder on *nix, is that the default install does NOT autorun on boot.
You can set it to autostart running the following as root:
$SPLUNK_HOME/bin/Splunk enable boot-start
To start Splunk on your forwarder, navigate to $SPLUNK_HOME /bin/ and run ./splunk start. You’ll see the standard output for startup.
At the next prompt, run ./splunk version, and you should see the version output for ARM Linux.
Congratulations, the Splunk Universal Forwarder is running on your Raspberry Pi!
Now, create a script which will be played by splunk to extract data :
edit file : $SPLUNK_HOME/bin/scripts
for c in $(seq 1 60)
TIME=$(date +"%D %T.%3N %Z")
CPU_TEMP=`echo $TEMP | cut -d \' -f 1`
VOLTS=`echo $VOLTS | cut -d V -f 1`
Then edit :
host = raspberrypi
index = main
interval = 60
source = cpu_details
sourcetype = pi_system_scripts
Then edit :
# Version 6.0
Where XX… is the IP of your labtop
BE CAREFUL to accept on your labtop firewall (Windows) the port 9997
if you don’t you will have in the log file on the rpi in $SPLUNK_HOME/var/log/splunk/splund.log
the error :
connection to ip=ip.address:9997 timed out
When it done just start splunk on the RPI :
and you ll receive data on the search screen of the plunk enterprise client installed on your labtop :
CONGRATULATION !! and have fun