Tks Thompson.
the last output i obtained by extracting the plain tar ball and running directly from logged user home folder. The directories where created under logged user.
Previously i tried the RPM version, that created the user splunk for me, which i logged in and performed the installation procedures. The directories created by splunk forwarder start (/opt/splunkforwarder/var) was created under splunk ownership user too.
I stopped at the same point.
Here is the output from my current AMI:
[ec2-user@ip-10-10-29-1 ~]$ cat /etc/*-release
NAME="Amazon Linux AMI"
VERSION="2017.03"
ID="amzn"
ID_LIKE="rhel fedora"
VERSION_ID="2017.03"
PRETTY_NAME="Amazon Linux AMI 2017.03"
ANSI_COLOR="0;33"
CPE_NAME="cpe:/o:amazon:linux:2017.03:ga"
HOME_URL="http://aws.amazon.com/amazon-linux-ami/"
Amazon Linux AMI release 2017.03
... View more