Splunk Enterprise Standalone installation on OCP via Splunk Operator
- Download the splunk operator YAML
wget -O splunk-operator-install.yaml https://github.com/splunk/splunk-operator/releases/download/1.1.0/splunk-operator-install.yaml
- Deploy the operator
oc create -f splunk-operator-install.yaml
- Allow the SA for the Splunk Operator to use the 'nonroot' SCC
oc -n splunk-operator adm policy add-scc-to-user nonroot -z splunk-operator-controller-manager
-
wait until the operator is running
-
Deploy a standalone instance
oc create namespace splunk
oc -n splunk adm policy add-scc-to-user nonroot -z default
oc -n splunk create -f enterprisesplunk.yaml
- expose the Splunk web UI
oc -n splunk expose svc splunk-s1-standalone-service
- get the admin password for the Splunk web UI
oc -n splunk get secret splunk-splunk-secret -o json | jq -r '.data.password' | base64 -d
- To connect ACS to Splunk, you'll need to take two steps:
- Log in to the Splunk UI, and navigate to the Data Inputs in the top right. Find the HTTP Event Collector (HEC). You'll need the token value from the HEC page.
- In ACS, you'll need to create an integration for Splunk from the Platform Configuration -> Integrations menu. You'll need the HTTP Event collector token. For the endpoint, use the HTTP Event Collector destination:
https://splunk-s1-standalone-service.splunk.svc:8088/services/collector/event