i dont know why splunk does not distribute clear instructions or tools to install and configure linux properly.

redhat 9.x does not have init.d so you need to set boot-start with managed =1, but the service even if installed needs also systemctl ENABLE SplunkForwarder.service.

In redhat 8 this is not the case.

the latest forwarder 9.1.1 also wont setup properly if you don't use user-seed.conf 

I came out with this which does it job somehow, would be nice if someone would add his ideas to make it better.

(im running splunk as root for testing perpouses)

#!/bin/bash

SPLUNK_FILE="splunkforwarder-9.1.1-64e843ea36b1.x86_64.rpm"


rpm -ivh splunkforwarder-9.1.1-64e843ea36b1.x86_64.rpm

##change permission to root
chown -R root:root /opt/splunkforwarder

##create user-seed.conf file that Splunk accepts to set admin credentials without user interaction
sudo touch /opt/splunkforwarder/etc/system/local/user-seed.conf

##pass Splunk admin credentials into file
sudo cat <<EOF > /opt/splunkforwarder/etc/system/local/user-seed.conf
[user_info]
USERNAME = admin
PASSWORD = changeme
EOF



##configure splunk
/opt/splunkforwarder/bin/splunk set deploy-poll 192.168.68.129:8089 --accept-license --answer-yes --auto-ports --no-prompt
/opt/splunkforwarder/bin/splunk enable boot-start  -systemd-managed 0
/opt/splunkforwarder/bin/splunk start --no-prompt --answer-yes



##configure splunk Redhat 9.x
#/opt/splunkforwarder/bin/splunk set deploy-poll 192.168.68.129:8089 --accept-license --answer-yes --auto-ports --no-prompt
#/opt/splunkforwarder/bin/splunk enable boot-start  -systemd-managed 1
#systemctl enable SplunkForwarder.service
#systemctl start SplunkForwarder.service