top of page
  • Writer's pictureTodd Waller

Splunking Your RaspberryPi

Hello Everyone Welcome back! This weeks post is going to be on how to Splunk data from your RaspberryPi.

I'm going to keep it pretty basic but will give you enough to get things flowing and then you can build on what you have done.

First things first: Install Splunk on a laptop or desktop. Next login with the admin credentials you created. (not my first time logging in)

Next go and change your admin password, if you haven't done it already

Next add your license for data that will be coming in

Now you want to add a port listener for the data that will be sent to your indexer(mine is a standalone instance)

Now go to your RaspberryPi and download the Universal Forwarder ARM version

I prefer wget so once you accept the agreement you can copy the wget command

Now you can install the Universal forwarder on your RaspberryPi

NOTE: these are not best practices, simply a quick start to show you how to get you Pi data into Splunk

Next accept the license and run Splunk

Now we need to add something to monitor. What I did was using Splunks *nix app for monitoring Unix data I took out the file and the accompanying file and added them to the scripts path in /opt/splunkforwarder/bin/scripts path. You can download the app from Splunk if you'd like and use any portion to monitor your Pi system.

Here's what the script outputs

Now add your inputs.conf to run the script

and next the ouputs.conf to configure sending to the indexer(edited out my IP)

And restart the Universal Forwarder and go search your new data!

Make sure you are allowing Inbound communication through your firewall on port 9997 or whatever port you configured the forwarder to send data to on the indexer. You will have issues if the firewall is blocking.

Again, I DIDN'T use best practices, normally you'd want the configs in an app, scripts in the app/bin path, props and other configs setup to do extractions and timestampping etc. and not sending to the "main" index. For the sake of saving time I didn't do that, this is just for demonstration purposes.

Build on what I've shown you here. Have fun!


518 views1 comment

Recent Posts

See All

1 Comment

Jan 15, 2022

hi todd, thanks for sharing this.

what raspi distribution and h/w did you use?

i'm looking to implement a syslog server on pi and forward it into enterprise splunk ; any idea whether raspi 4 would work with standard raspi os?

Post: Blog2_Post
bottom of page