Deploy and run a universal forwarder inside a Docker container
If you are a first-time Splunk user, Splunk's Docker containers for Splunk Enterprise and universal forwarder helps you quickly deploy and gain hands-on experience with the Splunk software, while still allowing for complex deployments in the future.
Containerized Splunk software provides the following flexibility and scalability to your Splunk environment:
- Deployment of Splunk Enterprise and universal forwarder that can be run on your laptop or desktop, or pushed to a large orchestrator
- Support for multiple Splunk Enterprise topologies including standalone server and distributed multi-node deployments
- Automatic installation of all upcoming versions of Splunk Enterprise and universal forwarder (beginning with version 7.2)
- Defaults to the latest official Splunk Enterprise/universal forwarder release
- Previously released versions can be installed and upgraded to the most current version of Splunk Enterprise/universal forwarder. However, Splunk versions prior to 7.2 are not supported.
Splunk's official repository containing Dockerfiles for building Splunk Enterprise and Universal Forwarder images using containerization technology can be found on GitHub: https://github.com/splunk/docker-splunk
Containerized Splunk software prerequisites
At the current time, Splunk software container images only support the Docker runtime engine and requires the following system prerequisites:
- Linux-based operating system (Debian, CentOS, etc.)
- splunk/splunk image supports x86-64 chipsets
- splunk/universalforwarder image supports both x86-64 and s390x chipsets
- Kernel version > 4.0
- Docker engine
- Docker Enterprise Engine 17.06.2 or later
- Docker Community Engine 17.06.2 or later
- overlay2 Docker daemon storage driver
For more details, please see the official supported architectures and platforms for containerized Splunk environments as well as hardware and capacity recommendations.
Deploy Splunk universal forwarder Docker containers
You deploy Splunk universal forwarder inside a Docker container by downloading and launching the required universal forwarder Docker image. The image is an executable package that includes everything you need to run Splunk universal forwarder. A container is a runtime instance of an image.
- From a shell prompt, run the following command to download the required universal forwarder image to your local Docker image library.
docker pull splunk/universalforwarder:latest
- Run the downloaded Docker image.
docker run -d -p 9997:9997 -e "SPLUNK_START_ARGS=--accept-license" -e "SPLUNK_PASSWORD=<password>" --name uf splunk/universalforwarder:latest
<password>is the new password you want to set for the universal forwarder instance. For information on password requirements, see Configure a Splunk password policy in Authentication.conf in Securing Splunk Enterprise.
-p 9997:9997exposes the default port of the universal forwarder inside the container to the outside world by mapping it to a port on the local host. In this case, the outside port is also 9997. If port 9997 is occupied by another service on the host, you can use the
-pparameter to map the application port to another available port on the host, for example,
Accept the license agreement with
SPLUNK_START_ARGS=--accept-license. This must be explicitly accepted on every splunk/universalforwarder container, otherwise the universal forwarder will not start.
- The output of the
docker runcommand is a hash of numbers and letters that represents the container ID of your new universal forwarder deployment. Run the following command with the container ID to display the status of the container.
docker ps -a -f id=<container_id>
- When the status of the container becomes healthy, it means the container is already up and running.
Administer Splunk universal forwarder Docker containers
You can use the following Docker commands to manage containers.
- To see a list of your running containers with the command
docker ps, just as you would on Linux.
- To stop your Splunk universal forwarder container, use the following command.
docker container stop <container_id>
- To restart a stopped container, use the following command.
docker container start <container_id>
- The Splunk universal forwarder does not have a GUI, so you will not be able to access it through a web interface. Instead, you can access the container directly by using the docker exec command.
docker exec -it -u splunk uf /bin/bash -c "/opt/splunkforwarder/bin/splunk status"
To learn more about Docker commands, see the Docker documentation.
Make a universal forwarder part of a host image
Start the universal forwarder
This documentation applies to the following versions of Splunk® Universal Forwarder: 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 8.0.0