{"id":27334890,"url":"https://github.com/dmuth/splunk4docker","last_synced_at":"2025-04-12T14:46:34.685Z","repository":{"id":27010612,"uuid":"30474766","full_name":"dmuth/Splunk4Docker","owner":"dmuth","description":"Don't use this anymore, use splunk-lab instead: https://github.com/dmuth/splunk-lab","archived":false,"fork":false,"pushed_at":"2020-09-03T22:22:36.000Z","size":50,"stargazers_count":4,"open_issues_count":2,"forks_count":1,"subscribers_count":4,"default_branch":"main","last_synced_at":"2024-05-02T06:07:42.334Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dmuth.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2015-02-07T23:49:51.000Z","updated_at":"2020-09-03T22:22:38.000Z","dependencies_parsed_at":"2022-08-31T21:46:15.414Z","dependency_job_id":null,"html_url":"https://github.com/dmuth/Splunk4Docker","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dmuth%2FSplunk4Docker","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dmuth%2FSplunk4Docker/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dmuth%2FSplunk4Docker/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dmuth%2FSplunk4Docker/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dmuth","download_url":"https://codeload.github.com/dmuth/Splunk4Docker/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248585249,"owners_count":21128974,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-04-12T14:46:34.051Z","updated_at":"2025-04-12T14:46:34.679Z","avatar_url":"https://github.com/dmuth.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"\n[**Edit:** This has since been deprecated! Please use *splunk-lab* instead: https://github.com/dmuth/splunk-lab]\n\n# Splunk4Docker\n\n\nI manage a large Splunk installation at my day job and, wanting a way to get my feet wet with Docker, decided to build some Docker containers that run Splunk.  This turned out to be a little more challenging than I anticipated. :-)\n\n\n## Getting started\n\nClone this repo.  Then bring up a Vagrant instance of CoreOS by typing `vagrant up`.\n\nNext, download a version of Splunk in .deb package format.  As of this writing, I've tested this with `splunk-6.2.1-245427-linux-2.6-amd64.deb`.  This can be stored anywhere in your filesystem, and a hard symlink can be used to make it accessible to each docker container.\n\n\n### Spinning up a standalone Search Head\n\n- `vagrant ssh`\n- `cd vagrant/splunk-search-head`\n- `ln /path/to/splunk-6.2.1-245427-linux-2.6-amd64.deb splunk.deb`\n- `./go -d`\n\nThis will build an image from the Dockerfile, run the image, and then run `runtime.sh` within the image to install Splunk.\n\nYou will shortly have a Splunk Search head listening on port 8000 in the host machine.\n\nTo run the container interactively:\n- `./go bash`\n- (in the Docker container) `/data-devel/runtime.sh`\n\nThe script `runtime.sh` in the current directory can be tweaked as necessary.  For further options, run `go.sh -h`.\n\n\n### Spinning up multiple Indexers \n\nFirst, make sure you aren't running any search heads:\n- `cd $HOME/vagrant/`\n- `./splunk-search-head/kill.sh`\n\nNow, to spin up 3 Indexers, followed by a Seach Head which talks to them:\n- `./splunk-indexer./go.sh --num 3`\n- `./splunk-search-head/go.sh -d`\n\nWait a minute or two, and you should be able to connect to port 8000 on the host machine and log into Splunk.  Run the search `index=_internal` and you should see Splunk's internal logs from 4 hosts (3 Indexers plus one Search Head) listed.  Additionally, all events generated on the Search Head will be forwarded to the 3 Indexers.\n\n\n# Volume Export\n\nSearch Head and Indexer containers export the contents of /opt/splunk/var to the Docker Host.  They can be found under `splunk-search-head/volumes` and `splunk-indexer/volumes` with names like `search-head-1` and `indexer-1`, where the number is the number of the host that was created.  These directories will persist after the containers exit and when they are restarted, allowing for log retention.\n\n\n# Log import\n\nNeed to have some logs of your own indexed by Splunk?  No problem!  Just drop them in the directory volumes/index-intake-1/ or volumes/search-head-intake-1/ and they will be indexed instantly.  This directory also presists between Docker containers, so if you have kill and later restart a container, this data will be re-indexed.\n\n\n# Debugging Splunk\n\nLogs are stored `spunk-(search-head|indexer)/log/splunk/`.  Logs of interest will be `splunkd.log` for overall system operation and `audit.log` for a list of what searches are being done and what Indexers are connected to.\n\nTo work on a specific container, run the `go.sh` script with \"bash\" as an argument. Example: `./splunk-search-head/go.sh bash`.\nThat will spin up a Docker instance and put you in a root shell.  From there, run `/data-devel/runtime.sh` to run the\nscript which installs and configure Splunk.  That directory is not ADDed to the Docker image, but rather mounted against\nthe current directory, so any edits made on the local copy of `runtime.sh` will show up in `/data-devel/`.\n\n\n# Known Issues\n\nThis works great under CoreOS.  Under Ubuntu 14.04... not so much.  I ran into weird issues with installing Splunk and starting Splunk which seem to be volume-related.  Right now, I am exporting a substatnail portion of the /opt/splunk/ directory to the host running Docker.  This is mostly for debugging issues.  I may revisit this decision later.\n\n`docker restart` does not work correctly.  I tried running `/opt/splunk/bin/splunk enable boot-start` inside each container, but that does not work.\n\n\n# TODO\n\n- I need to seeif I can add a switch that keeps from using Volumes when spinning up Docker.  This may fix issues in Ubuntu, at the cost of being harder to debug\n- A script which autogenerates sample data.  This will be helpful for people who are new to Splunk.\n- Encryption on port 9998 on the indexers\n \n\n# FAQ\n\nQ: What ports are used by the web servers?\n\nA: Ports 8000-8009 are used by the Search Head(s).  Ports 8010-8019 are used by the Indexers.\n\n\nQ: The credentials admin/changeme don't work on the Indexers!\n\nA: I had to change the passwords from the default because the Search Head(s) connect to the Indexers, and the Indexers won't let you use default credentials for connecting via port 8089.  Instead, the credentials are: admin/adminpw.  For the love of all that is sacred, please **change these** if you plan on using this code in production!\n\n\nQ: Why are you running the Splunk install script **inside** of the docker container instead of running it at container creation time?\n\nA: Splunk comes with a free license that is good for 60 days.  During development, I found it more helpful to use this approach to ensure that I can run my instances for longer if needed.\n\n\nQ: Why does the Virtual Machine use a Gigabyte of RAM?\n\nA: Because Splunk uses a lot of RAM. :-)  I could try limiting this usage, but haven't investigated that avenue thoroughly yet.  The provisioning script for Vagrant sets up a swapfile in CoreOS so you might be able to get by on half a Gig of RAM if you wanted.  I make no guarantees as of this writing, though!\n\n\n# \"I have a question that's not answered in the FAQ!\"\n\nFile a bug or send me a note. My email address is dmuth@dmuth.org, and I can be readily found on places like [Facebook](http://www.facebook.com/dmuth) and [Twitter](http://twitter.com/dmuth).\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdmuth%2Fsplunk4docker","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdmuth%2Fsplunk4docker","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdmuth%2Fsplunk4docker/lists"}