Home

Awesome

Docker-Splunk: Containerizing Splunk Enterprise

License  GitHub release

Welcome to the official Splunk repository of Dockerfiles for building Splunk Enterprise and Splunk Universal Forwarder images for containerized deployments.


:warning: DEPRECATION NOTICE
We are no longer releasing Debian images on Docker Hub as of May 2021 (Splunk Enterprise v8.2.0+). Red Hat images will continue to be published.


Table of Contents

  1. Purpose
  2. Quickstart
  3. Documentation
  4. Support
  5. Contributing
  6. License

Purpose

What is Splunk Enterprise?

Splunk Enterprise is a platform for operational intelligence. Our software lets you collect, analyze, and act upon the untapped value of big data that your technology infrastructure, security systems, and business applications generate. It gives you insights to drive operational performance and business results.

See Splunk Products for more information about the features and capabilities of Splunk products and how you can bring them into your organization.

What is Docker-Splunk?

This is the official source code repository for building Docker images of Splunk Enterprise and Splunk Universal Forwarder. By introducing containerization, we can marry the ideals of infrastructure-as-code and declarative directives to manage and run Splunk Enterprise.

The provisioning of these containers is handled by the Splunk-Ansible project. Refer to the Splunk-Ansible documentation and the Ansible User Guide for more details.


Quickstart

Start a single containerized instance of Splunk Enterprise with the command below, replacing <password> with a password string that conforms to the Splunk Enterprise password requirements.

$ docker run -p 8000:8000 -e "SPLUNK_PASSWORD=<password>" \
             -e "SPLUNK_START_ARGS=--accept-license" \
             -it --name so1 splunk/splunk:latest

This command does the following:

  1. Starts a Docker container using the splunk/splunk:latest image.
  2. Names the container as so1.
  3. Exposes a port mapping from the host's 8000 port to the container's 8000 port
  4. Specifies a custom SPLUNK_PASSWORD.
  5. Accepts the license agreement with SPLUNK_START_ARGS=--accept-license. This agreement must be explicitly accepted on every container or Splunk Enterprise doesn't start.

After the container starts up, you can access Splunk Web at http://localhost:8000 with admin:<password>.

To view the logs from the container created above, run:

$ docker logs -f so1

To enter the container and run Splunk CLI commands, run:

# Defaults to the user "ansible"
docker exec -it so1 /bin/bash

# Run shell as the user "splunk"
docker exec -u splunk -it so1 bash

To enable TCP 10514 for listening, run:

docker exec -u splunk so1 /opt/splunk/bin/splunk add tcp 10514 \
    -sourcetype syslog -resolvehost true \
    -auth "admin:${SPLUNK_PASSWORD}"

To install an app, run:

docker exec -u splunk so1 /opt/splunk/bin/splunk install \
	/path/to/app.tar -auth "admin:${SPLUNK_PASSWORD}"

# Alternatively, apps can be installed at Docker run-time
docker run -e SPLUNK_APPS_URL=http://web/app.tgz ...

See Deploy and run Splunk Enterprise inside a Docker container for more information.


Documentation

Visit the Docker-Splunk documentation page for full usage instructions, including installation, examples, and advanced deployment scenarios.


Support

Use the GitHub issue tracker to submit bugs or request features.

If you have additional questions or need more support, you can:

See the official support guidelines for more detailed information.


Contributing

We welcome feedback and contributions from the community! See our contribution guidelines for more information on how to get involved.


License

Copyright 2018-2020 Splunk.

Distributed under the terms of our license, splunk-ansible is free and open source software.

Authors

Splunk Inc. and the Splunk Community