Splunk® Universal Forwarder

Forwarder Manual

Download manual as PDF

Download topic as PDF

Deploy and run a universal forwarder inside a Docker container

If you are a first-time Splunk user, Splunk's Docker containers for Splunk Enterprise and universal forwarder helps you quickly deploy and gain hands-on experience with the Splunk software, while still allowing for complex deployments in the future.

Containerized Splunk software provides the following flexibility and scalability to your Splunk environment:

  • Deployment of Splunk Enterprise and universal forwarder that can be run on your laptop or desktop, or pushed to a large orchestrator
  • Support for multiple Splunk Enterprise topologies including standalone server and distributed multi-node deployments
  • Automatic installation of all upcoming versions of Splunk Enterprise and universal forwarder (beginning with version 7.2)
    • Defaults to the latest official Splunk Enterprise/universal forwarder release
    • Previously released versions can be installed and upgraded to the most current version of Splunk Enterprise/universal forwarder. However, Splunk versions prior to 7.2 are not supported.

Splunk's official repository containing Dockerfiles for building Splunk Enterprise and Universal Forwarder images using containerization technology can be found on GitHub: https://github.com/splunk/docker-splunk

Containerized Splunk software prerequisites

At the current time, Splunk software container images only support the Docker runtime engine and requires the following system prerequisites:

  • Linux-based operating system (Debian, CentOS, etc.)
  • Chipset
    • splunk/splunk image supports x86-64 chipsets
    • splunk/universalforwarder image supports both x86-64 and s390x chipsets
  • Kernel version > 4.0
  • Docker engine
    • Docker Enterprise Engine 17.06.2 or later
    • Docker Community Engine 17.06.2 or later
  • overlay2 Docker daemon storage driver

For more details, please see the official supported architectures and platforms for containerized Splunk environments as well as hardware and capacity recommendations.

Deploy Splunk universal forwarder Docker containers

You deploy Splunk universal forwarder inside a Docker container by downloading and launching the required universal forwarder Docker image. The image is an executable package that includes everything you need to run Splunk universal forwarder. A container is a runtime instance of an image.

  1. From a shell prompt, run the following command to download the required universal forwarder image to your local Docker image library.
    docker pull splunk/universalforwarder:latest
  2. Run the downloaded Docker image.
    docker run -d -p 9997:9997 -e "SPLUNK_START_ARGS=--accept-license" -e "SPLUNK_PASSWORD=<password>" --name uf splunk/universalforwarder:latest

    Where <password> is the new password you want to set for the universal forwarder instance. For information on password requirements, see Configure a Splunk password policy in Authentication.conf in Securing Splunk Enterprise.

    -p 9997:9997 exposes the default port of the universal forwarder inside the container to the outside world by mapping it to a port on the local host. In this case, the outside port is also 9997. If port 9997 is occupied by another service on the host, you can use the -p parameter to map the application port to another available port on the host, for example, -p 9998:9997.

    Accept the license agreement with SPLUNK_START_ARGS=--accept-license. This must be explicitly accepted on every splunk/universalforwarder container, otherwise the universal forwarder will not start.

  3. The output of the docker run command is a hash of numbers and letters that represents the container ID of your new universal forwarder deployment. Run the following command with the container ID to display the status of the container.
    docker ps -a -f id=<container_id>
  4. When the status of the container becomes healthy, it means the container is already up and running.

Administer Splunk universal forwarder Docker containers

You can use the following Docker commands to manage containers.

  • To see a list of your running containers with the command docker ps, just as you would on Linux.
  • To stop your Splunk universal forwarder container, use the following command.
    docker container stop <container_id>
  • To restart a stopped container, use the following command.
    docker container start <container_id>
  • The Splunk universal forwarder does not have a GUI, so you will not be able to access it through a web interface. Instead, you can access the container directly by using the docker exec command.
    docker exec -it -u splunk uf /bin/bash -c "/opt/splunkforwarder/bin/splunk status"

To learn more about Docker commands, see the Docker documentation.

Make a universal forwarder part of a host image
Start the universal forwarder

This documentation applies to the following versions of Splunk® Universal Forwarder: 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.3.0, 7.3.1, 7.3.2, 8.0.0

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters