[Splunk] Build Splunk Enterprise (use docker image)

[Splunk] Build Splunk Enterprise (use docker image)

Purpose / background

Splunk seems to work with docker containers as well. It seems that the container image is also distributed, so let's use this to run Splunk.

Reference site

Run "Splunk" on docker splunk/splunk

Installation of docker and docker-compose

$ sudo apt update

$ sudo apt install -y docker.io
$ docker -v
Docker version 19.03.6, build 369ce74a3c

$ sudo apt install -y docker-compose
$ docker-compose -v
docker-compose version 1.17.1, build unknown

$ sudo groupadd docker
groupadd: group 'docker' already exists
* The docker group already existed

$ sudo gpasswd -a $USER docker
Adding user ubuntu to group docker

$ cat /etc/group | grep docker
docker:x:115:ubuntu

$ sudo reboot

$ docker ps

Get a Splunk container

$ docker pull splunk/splunk
$ docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
splunk/splunk       latest              1d4750df3f5d        3 days ago          1.72GB

Create and launch a Splunk container

$ docker run -d -e "SPLUNK_START_ARGS=--accept-license" -e "SPLUNK_USER=root" -e "SPLUNK_PASSWORD=xxxxxxxx" -p "8000:8000" --name splunk splunk/splunk
$ docker logs splunk -f
    :
PLAY RECAP *********************************************************************
localhost                  : ok=67   changed=8    unreachable=0    failed=0    skipped=65   rescued=0    ignored=0

Tuesday 08 September 2020  05:18:38 +0000 (0:00:00.394)       0:01:26.013 *****
===============================================================================
splunk_common : Update Splunk directory owner -------------------------- 48.08s
splunk_common : Start Splunk via CLI ------------------------------------ 9.35s
splunk_common : Update /opt/splunk/etc ---------------------------------- 2.97s
Gathering Facts --------------------------------------------------------- 2.72s
splunk_common : Get Splunk status --------------------------------------- 2.52s
splunk_common : Wait for splunkd management port ------------------------ 2.15s
splunk_common : Test basic https endpoint ------------------------------- 1.69s
splunk_common : Hash the password --------------------------------------- 1.29s
splunk_common : Trigger restart ----------------------------------------- 0.94s
splunk_common : Get Splunk status --------------------------------------- 0.92s
splunk_common : Generate user-seed.conf (Linux) ------------------------- 0.69s
splunk_common : Check for scloud ---------------------------------------- 0.48s
splunk_common : Find manifests ------------------------------------------ 0.45s
splunk_standalone : Setup global HEC ------------------------------------ 0.45s
splunk_standalone : Get existing HEC token ------------------------------ 0.45s
splunk_common : include_tasks ------------------------------------------- 0.45s
splunk_common : Cleanup Splunk runtime files ---------------------------- 0.42s
Check for required restarts --------------------------------------------- 0.39s
splunk_standalone : Check for required restarts ------------------------- 0.39s
splunk_common : Apply licenses ------------------------------------------ 0.33s
===============================================================================

Ansible playbook complete, will begin streaming splunkd_stderr.log

When it is displayed so far, press CTRL + C to stop the log reference Access http://xxx.xxx.xxx.xxx:8000/ with your browser

Enter the value of "admin" for the ID and "" SPLUNK_PASSWORD = xxxxxxxx "" specified when starting the container for the password Start confirmation is completed when the dashboard is displayed

How to execute splunk command

$ docker exec -it splunk /bin/bash

The installation destination of splunk is "/opt/splunk」

$ cd /opt/splunk/bin
$ sudo ./splunk diag
    :
Copying Splunk log files...
Copying bucket info files...
Copying Splunk dispatch files...
Copying Splunk consensus files...
Adding manifest files...
Adding cachemanager_upload.json...
Cleaning up...
Splunk diagnosis file created: /opt/splunk/diag-5d58bc49d37c-2020-09-08_08-04-39.tar.gz

$ exit

Stop container

$ docker stop splunk

Start container

$ docker start splunk
splunk

$ docker ps
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS                            PORTS                                                                           NAMES
5d58bc49d37c        splunk/splunk       "/sbin/entrypoint.sh…"   19 minutes ago      Up 3 seconds (health: starting)   8065/tcp, 8088-8089/tcp, 8191/tcp, 9887/tcp, 0.0.0.0:8000->8000/tcp, 9997/tcp   splunk

in conclusion

Launching with a published container image is as easy as building it manually!

Recommended Posts

[Splunk] Build Splunk Enterprise (use docker image)
[Splunk] Build Splunk Enterprise (docker file creation)
Use Jenkins to build inside Docker and then create a Docker image.
Build Spring Boot + Docker image in Gradle
Use Puphpeteer with Docker
Delete unused docker image
Use ngrok with Docker
Build an Android image for Orange Pi 4 with Docker
Build Docker Image lightweight and fast with CodeBuild with Santa Banner
Use GDAL with Python with Docker
Install yarn in docker image
docker review image creation-container start
Extract files from Docker Image
Build docker environment with WSL
Docker Easy Build Database (PostgreSQL)
Build DynamoDB local with Docker
[Docker] Use whenever with Docker + Rails
multi-project docker build using jib