Splunk in a Docker Container on RedHat 8

We are assuming you have Docker configured and running already if so than the process is pretty straight forward for getting Splunk in Docker Container. If you need to install Docker in RedHat 8 reference this post: Install Docker in RedHat 8. First thing we need to do is pull Splunk Enterprise package in Docker.

Get Splunk Image in the Container

# docker pull splunk/splunk:latest

latest: Pulling from splunk/splunk
7fe5fcc0340e: Pull complete
086296bbdfc7: Pull complete
14ff6633c53e: Pull complete
b19abef98aee: Pull complete
45461790a7ee: Pull complete
f258280a2ea4: Pull complete
5bff1601d9e1: Pull complete
a63920b532e7: Pull complete
390e19b231e3: Pull complete
fb1768f5f61c: Pull complete
03d4152f6699: Pull complete
Digest: sha256:0f5d9cee49b5ca5fbe408727b1d8d66dffda1fa70334dfafcc6e510ac7be5568
Status: Downloaded newer image for splunk/splunk:latest
docker.io/splunk/splunk:latest                           

Install the Splunk Image

Now we need to run the image you just downloaded from Docker. There is a couple options that you will need filled in: Splunk Password & Ports.

# docker run -d -p 8000:8000 -e 'SPLUNK_START_ARGS=--accept-license' -e 'SPLUNK_PASSWORD=changeme' splunk/splunk:latest 

Above I have port 8000 mapped to port 8000. Splunk uses 8000 for web interface by default. You can change the the mapping if the port is already being used, example: 8500:8000. This would redirect port 8500 to port 8000.

Below you see what happens if the port is already being used. In this case I have Splunk installed already in RedHat but not in a container. So we will try again but redirect port as the above example shows.

# docker run -d -p 8000:8000 -e 'SPLUNK_START_ARGS=--accept-license' -e 'SPLUNK_PASSWORD=changeme' splunk/splunk:latest
b17cb2147a0865aac83087d23fad021caca8ad5be6152f2d5e548aa56074f4d8

docker: Error response from daemon: driver failed programming external connectivity on endpoint musing_nash (e2244120106ac64bb7d9ca8af00ce5cc7a9f2e440da68b2de473f67011b888d1): Error starting userland proxy: listen tcp 0.0.0.0:8000: bind: address already in use.  

Running again but with port remapping.

# docker run -d -p 8500:8000 -e 'SPLUNK_START_ARGS=--accept-license' -e 'SPLUNK_PASSWORD=changeme' splunk/splunk:latest

0e9386e6b61e0d212f16f9cd47fdf45499b35c2e86d81df9e5fc1e895a93f992       

Check Status of Container & Splunk

Now let’s check the status of the container.

# docker ps -a -f id=0e9386e6b61e0d212f16f9cd47fdf45499b35c2e86d81df9e5fc1e895a93f992

CONTAINER ID        IMAGE                  COMMAND                  CREATED             STATUS                   PORTS                                                                           NAMES
0e9386e6b61e        splunk/splunk:latest   "/sbin/entrypoint.sh…"   3 minutes ago       Up 3 minutes (healthy)   8065/tcp, 8088-8089/tcp, 8191/tcp, 9887/tcp, 9997/tcp, 0.0.0.0:8500->8000/tcp   kind_nobel     

Our container status is good so let’s make sure Splunk is accessible. There’s a couple ways to check for access. Remember in my example we are using remapping to 8500 so that will be our port. If you did not need to do this than 8000 will be your port.

  1. Assuming you have a Graphical Interface, login and start the Web Browser and enter: localhost:8500
  2. Remote access start your Web Browser on your remote machine, in my case a Mac and enter IP_Port: http://10.0.1.165:8500

By default HTTP is enabled you can change this in Splunk settings to HTTPS if you prefer.

Docker Administration for Splunk

Here are some commands that will help is the administration of Splunk. There are several commands you can run but we will go over the most used. If you want to learn more go here: GitHub for Splunk-Docker.

To see a list of example commands and environment variables for running Splunk Enterprise in a container:

# docker run -it splunk/splunk help

/ ___| _ __ | |_   _ _ __ | | __  \ \
 \___ \| '_ \| | | | | '_ \| |/ /   \ \
  ___) | |_) | | |_| | | | |   <    / /
 |____/| .__/|_|\__,_|_| |_|_|\_\  /_/
       |_|
========================================


Environment Variables:
  * SPLUNK_USER - user under which to run Splunk (default: splunk)
  * SPLUNK_GROUP - group under which to run Splunk (default: splunk)
  * SPLUNK_HOME - home directory where Splunk gets installed (default: /opt/splunk)
  * SPLUNK_START_ARGS - arguments to pass into the Splunk start command; you must include '--accept-license' to start Splunk (default: none)
  * SPLUNK_ROLE - the role of this Splunk instance (default: splunk_standalone)
      Acceptable values:
        - splunk_standalone
        - splunk_search_head
        - splunk_indexer
        - splunk_deployer
        - splunk_license_master
        - splunk_cluster_master
        - splunk_heavy_forwarder
  * SPLUNK_LICENSE_URI - URI or local file path (absolute path in the container) to a Splunk license
  * SPLUNK_STANDALONE_URL, SPLUNK_INDEXER_URL, ... - comma-separated list of resolvable aliases to properly bring-up a distributed environment.
                                                     This is optional for standalones, but required for multi-node Splunk deployments.
  * SPLUNK_BUILD_URL - URL to a Splunk build which will be installed (instead of the image's default build)
  * SPLUNK_APPS_URL - comma-separated list of URLs to Splunk apps which will be downloaded and installed


Examples:
  * docker run -it -p 8000:8000 splunk/splunk start
  * docker run -it -e SPLUNK_START_ARGS=--accept-license -p 8000:8000 -p 8089:8089 splunk/splunk start
  * docker run -it -e SPLUNK_START_ARGS=--accept-license -e SPLUNK_LICENSE_URI=http://example.com/splunk.li

To see a list of your running containers:

# docker ps

CONTAINER ID        IMAGE                  COMMAND                  CREATED             STATUS                    PORTS                                                                           NAMES
0e9386e6b61e        splunk/splunk:latest   "/sbin/entrypoint.sh…"   54 minutes ago      Up 54 minutes (healthy)   8065/tcp, 8088-8089/tcp, 8191/tcp, 9887/tcp, 9997/tcp, 0.0.0.0:8500->8000/tcp   kind_nobel

To stop your Splunk Enterprise container:

docker container stop <container_id>
# docker container stop 0e9386e6b61e
0e9386e6b61e
[root@rhminisrv andy]# docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES

To list stopped container:

# docker ps --filter "status=exited"

CONTAINER ID        IMAGE                  COMMAND                  CREATED             STATUS                        PORTS               NAMES
36d2c6379bde        splunk/splunk          "/sbin/entrypoint.sh…"   18 minutes ago      Exited (1) 18 minutes ago                         dreamy_sanderson
0e9386e6b61e        splunk/splunk:latest   "/sbin/entrypoint.sh…"   About an hour ago   Exited (143) 16 minutes ago                       kind_nobel

To start a stopped container:

docker container start <container_id>
# docker container start 0e9386e6b61e
0e9386e6b61e

You can check it again:

# docker ps
CONTAINER ID        IMAGE                  COMMAND                  CREATED             STATUS                    PORTS                                                                           NAMES
0e9386e6b61e        splunk/splunk:latest   "/sbin/entrypoint.sh…"   About an hour ago   Up 31 seconds (healthy)   8065/tcp, 8088-8089/tcp, 8191/tcp, 9887/tcp, 9997/tcp, 0.0.0.0:8500->8000/tcp   kind_nobel

To access a running Splunk Enterprise container to perform administrative tasks, such as modifying configuration files:

# docker exec -it <container_id> bash

ansible@0e9386e6b61e splunk]$ pwd
/opt/splunk
[ansible@0e9386e6b61e splunk]$ ls
README-splunk.txt  etc      license-eula.txt  splunk-8.0.2-a7f645ddaf91-linux-2.6-x86_64-manifest
bin                include  openssl           var
copyright.txt      lib      share

[ansible@0e9386e6b61e splunk]$ exit
exit

That’s it, hopefully everything went seamlessly and Happy Splunking!