Table of Contents
Supported tags
6.3
,6.3.0
,latest
- Splunk Enterprise6.3-light
,6.3.0-light
,latest-light
- Splunk Light6.3-forwarder
,6.3.0-forwarder
,latest-forwarder
- Splunk Universal Forwarder6.2
,6.2.6
- Splunk Enterprise6.2-light
,6.2.6-light
- Splunk Light6.2-forwarder
,6.2.6-forwarder
- Splunk Universal Forwarder6.1
,6.1.8
- Splunk Enterprise6.1-forwarder
,6.1.8-forwarder
- Splunk Universal Forwarder
Introduction
NOTE: I'm working at Splunk, but this is not an official Splunk images. I build them in my free time when I'm not at work. I have some knowledge about Splunk, but you should think twice before putting them in production. I run these images on my own home server just for my personal needs. If you have any issues - feel free to open a bug.
Dockerfiles to build Splunk including Enterpise, Light and Universal Forwarder.
Examples below show you how to pull and start Splunk Enterprise. If you want to use Splunk Light or Universal Forwarder - you just need to change tags to add
-light
or-forwarder
and usesplunklight
anduniversalforwarder
folders.
Version
- Version:
6.3.0
- Build:
aa7d4b1ccb80
Installation
Pull the image from the docker registry. This is the recommended method of installation as it is easier to update image. These builds are performed by the Docker Trusted Build service.
docker pull outcoldman/splunk:6.3.0
Or you can pull latest version.
docker pull outcoldman/splunk:latest
Alternately you can build the image locally.
git clone https://github.com/outcoldman/docker-splunk.git
cd docker-splunk/splunk
docker build --tag="$USER/splunk" .
Quick Start
To manually start Splunk Enterprise container
docker run --hostname splunk -p 8000:8000 -d outcoldman/splunk:6.3.0
This docker image has two data volumes /opt/splunk/etc
and /opt/splunk/var
(See Data Store). To avoid losing any data when container is stopped/deleted mount these volumes from docker volume containers (see Managing data in containers)
docker run --name vsplunk -v /opt/splunk/etc -v /opt/splunk/var busybox
docker run --hostname splunk --name splunk --volumes-from=vsplunk -p 8000:8000 -d outcoldman/splunk:6.3.0
Or if you use docker-compose
vsplunk:
image: busybox
volumes:
- /opt/splunk/etc
- /opt/splunk/var
splunk:
image: outcoldman/splunk:6.3.0
hostname: splunk
volumes_from:
- vsplunk
ports:
- 8000:8000
Configuration
Data Store
This image has two data volumes
/opt/splunk/etc
- stores Splunk configurations, including applications and lookups/opt/splunk/var
- stores indexed data, logs and internal Splunk data
User
Splunk processes are running under splunk
user.
Ports
Next ports are exposed
8000/tcp
- Splunk Web interface (Splunk Enterprise and Splunk Light)8089/tcp
- Splunk Services (All Splunk products)8191/tcp
- Application KV Store (Splunk Enterprise)9997/tcp
- Splunk Indexing Port (not used by default) (Splunk Enterprise)1514
- Network Input (not used by default) (All Splunk products)8088
- HTTP Event Collector
We are using
1514
instead of standard514
syslog port because ports below 1024 are reserved for root access only. See Run Splunk Enterprise as a different or non-root user.
Entrypoint
You can execute Splunk commands by using
docker exec splunk entrypoint.sh splunk version
Splunk is launched in background. Which means that when Splunk restarts (after some configuration changes) - the container will not be affected.
Hostname
It is recommended to specify hostname
for this image, so if you will recreate Splunk instance you will keep the same hostname.
Working with Splunk Forwarder
Using entrypoint.sh
you can enable forwarding to your Splunk Indexer and also
open port for listening using next two commands
docker exec -it splunk_forwarder entrypoint.sh splunk add forward-server splunk_indexer:9997
docker exec -it splunk_forwarder entrypoint.sh splunk add udp 1514
Upgrade from previous version
Upgrade example below
# Use data volume container to persist data between upgrades
docker run --name vsplunk -v /opt/splunk/etc -v /opt/splunk/var busybox
# Start old version of Splunk Enterprise
docker run --hostname splunk --name splunk --volumes-from=vsplunk -p 8000:8000 -d outcoldman/splunk:6.2.3
# Stop Splunk Enterprise container
docker stop splunk
# Remove Splunk Enterprise container
docker rm -v splunk
# Start Splunk Enterprise container with new version
docker run --hostname splunk --name splunk --volumes-from=vsplunk -p 8000:8000 -d outcoldman/splunk:6.3.0