Splunk on dockers

Sushil Pawar - 08 October



Splunk on dockers for personal evaluation


  • **Not recommended for use in production environments**
  • Easily create Splunk environment.
  • Lab environments
  • Reduced hardware dependency

Installation & configuration of Splunk docker containers.


Step 1 : Pull splunk images from docker hub.

Splunk Enterprise:
    “docker pull splunk/splunk”

Splunk Universal Forwarder:
    “docker pull splunk/universalforwarder”


Step 2 : Run the docker Container

docker run --name splunk
-p 7050:8000
-p "7051:7051"
-p "7052:7052"
-v /home/user/mydocker/DockerVolume/Splunk/etc:/opt/splunk/etc
-v /home/user/mydocker/DockerVolume/Splunk/var:/opt/splunk/var
-e SPLUNK_START_ARGS=“--accept-license”
-e "SPLUNK_PASSWORD=somepassword@123"
--network=SOAOSBNet splunk/splunk:latest
Command details: 

--name <name your container> 
-p 7050:8000 <port used to access the web application>
-p "7051:7051" <Port used by the Splunk api>
-p "7052:7052" <Port used by forwarders>
-v /home/user/mydocker/DockerVolume/Splunk/etc:/opt/splunk/etc <mount point to persist data>
-v /home/user/mydocker/DockerVolume/Splunk/var:/opt/splunk/var <mount point to persist data>
-e SPLUNK_START_ARGS=“--accept-license” <env variable to accept licence>
-e "SPLUNK_PASSWORD=somepassword@123" <splunk password>
--network=SOAOSBNet splunk/splunk:latest <network for forwarders to access the Splunk container>

Storing container data:

-v /home/mydocker/DockerVolume/Splunk/etc:/opt/splunk/etc 
-v /home/mydocker/DockerVolume/Splunk/var:/opt/splunk/var 

Directory Description : 
etc: Configuration data for system. Consits of 3 important directories,
User: Users we have set up in the system. 
apps: Code for our Splunk apps.
system: Relevant information for the system configurations.

var: Application would usually store all data that changes and within Splunk. Indexing data, the actual index files will be located in the var directory. 


Splunk Ports :

8000: Default post to access the splunk web appllication. 
9997: We’ve also used this one as well in the above post as we have forwarded our data into our index using this port.
8089: This is the management interface where you can connect to the Splunk API.
8080: This is the port Splunk uses for index replication and allows communication between index servers.


Step 3 : Utility Commands

Run a splunk container 
docker run –name splunk imagename

Starting/stopping a splunk container :
docker start splunk / docker stop splunk

Removing a container
docker rm splunk



Installing and configuring the Splunk Universal Forwarder


Step 1 : Download & install Splunk Universal Forwarder.
wget -O splunkforw http://download.splunk.com/products/universalforwarder/releases/6.5.2/linux/splunkforwarder-6.5.2-67571ef4b87d-Linux-x86_64.tgz
apt install ./splunkforwarder-6.5.2-67571ef4b87d-Linux-x86_64.tgz or tar -xvf splunkforwarder-6.5.2-67571ef4b87d-Linux-x86_64.tgz

Step 2 : Start the Splunk Universal Forwarder.
cd splunkforwarder/
./splunk start --accept-license
./splunk add forward-server splunk:7052

Step 3 : Add forward server details.
cd /u01/oracle/splunkforwarder/bin/
./splunk add monitor /u01/oracle/user_projects/domains/soainfra/servers/AdminServer/logs -sourcetype admin_access_logs
./splunk add monitor /u01/oracle/user_projects/domains/soainfra/servers/osb_server1/logs -sourcetype osb_server_logs

Step 4 : Update/create the inputs.conf file on your Splunk Forwader.
vi /opt/splunkforwarder/etc/system/local/inputs.conf
Add below,
[monitor:///u01/oracle/user_projects/domains/soainfra/servers/AdminServer/logs]
sourcetype=admin_server_logs


Step 5 : Restart the Splunk Universal Forwarder.
./splunk restart
Tags:
Sushil Pawar

Posted by: Sushil Pawar

Experienced Oracle Fusion Middleware, Oracle ADF, Webcenter Portal and Spaces, Oracle Access Manager, OID. Worked on Oracle Retail Workspace, development, customization and integration of retail platforms with Oracle retail workspace.

Post a Comment

0 Comments