Awesome
Docker-Splunk: Containerizing Splunk Enterprise
Welcome to the official Splunk repository of Dockerfiles for building Splunk Enterprise and Splunk Universal Forwarder images for containerized deployments.
:warning: DEPRECATION NOTICE
We are no longer releasing Debian images on Docker Hub as of May 2021 (Splunk Enterprise v8.2.0+). Red Hat images will continue to be published.
Table of Contents
Purpose
What is Splunk Enterprise?
Splunk Enterprise is a platform for operational intelligence. Our software lets you collect, analyze, and act upon the untapped value of big data that your technology infrastructure, security systems, and business applications generate. It gives you insights to drive operational performance and business results.
See Splunk Products for more information about the features and capabilities of Splunk products and how you can bring them into your organization.
What is Docker-Splunk?
This is the official source code repository for building Docker images of Splunk Enterprise and Splunk Universal Forwarder. By introducing containerization, we can marry the ideals of infrastructure-as-code and declarative directives to manage and run Splunk Enterprise.
The provisioning of these containers is handled by the Splunk-Ansible project. Refer to the Splunk-Ansible documentation and the Ansible User Guide for more details.
Quickstart
Start a single containerized instance of Splunk Enterprise with the command below, replacing <password>
with a password string that conforms to the Splunk Enterprise password requirements.
$ docker run -p 8000:8000 -e "SPLUNK_PASSWORD=<password>" \
-e "SPLUNK_START_ARGS=--accept-license" \
-it --name so1 splunk/splunk:latest
This command does the following:
- Starts a Docker container using the
splunk/splunk:latest
image. - Names the container as
so1
. - Exposes a port mapping from the host's
8000
port to the container's8000
port - Specifies a custom
SPLUNK_PASSWORD
. - Accepts the license agreement with
SPLUNK_START_ARGS=--accept-license
. This agreement must be explicitly accepted on every container or Splunk Enterprise doesn't start.
After the container starts up, you can access Splunk Web at http://localhost:8000 with admin:<password>
.
To view the logs from the container created above, run:
$ docker logs -f so1
To enter the container and run Splunk CLI commands, run:
# Defaults to the user "ansible"
docker exec -it so1 /bin/bash
# Run shell as the user "splunk"
docker exec -u splunk -it so1 bash
To enable TCP 10514 for listening, run:
docker exec -u splunk so1 /opt/splunk/bin/splunk add tcp 10514 \
-sourcetype syslog -resolvehost true \
-auth "admin:${SPLUNK_PASSWORD}"
To install an app, run:
docker exec -u splunk so1 /opt/splunk/bin/splunk install \
/path/to/app.tar -auth "admin:${SPLUNK_PASSWORD}"
# Alternatively, apps can be installed at Docker run-time
docker run -e SPLUNK_APPS_URL=http://web/app.tgz ...
See Deploy and run Splunk Enterprise inside a Docker container for more information.
Documentation
Visit the Docker-Splunk documentation page for full usage instructions, including installation, examples, and advanced deployment scenarios.
Support
Use the GitHub issue tracker to submit bugs or request features.
If you have additional questions or need more support, you can:
- Post a question to Splunk Answers
- Join the #docker room in the Splunk Slack channel. If you're a new Splunk customer you can register for Slack here
- If you are a Splunk Enterprise customer with a valid support entitlement contract and have a Splunk-related question, you can also open a support case on the https://www.splunk.com/ support portal
See the official support guidelines for more detailed information.
Contributing
We welcome feedback and contributions from the community! See our contribution guidelines for more information on how to get involved.
License
Copyright 2018-2020 Splunk.
Distributed under the terms of our license, splunk-ansible is free and open source software.
Authors
Splunk Inc. and the Splunk Community