Splunk® Universal Forwarder

Forwarder Manual

Download manual as PDF

Download topic as PDF

Deploy and run a universal forwarder inside a Docker container

If you are a first-time Splunk user, Splunk's Docker containers for Splunk Enterprise and universal forwarder helps you quickly deploy and gain hands-on experience with the Splunk software, while still allowing for complex deployments in the future.

Containerized Splunk software provides the following flexibility and scalability to your Splunk environment:

  • Deployment of Splunk Enterprise and universal forwarder that can be run on your laptop or desktop, or pushed to a large orchestrator
  • Support for multiple Splunk Enterprise topologies including standalone server and distributed multi-node deployments
  • Automatic installation of all upcoming versions of Splunk Enterprise and universal forwarder (beginning with version 7.2)
    • Defaults to the latest official Splunk Enterprise/universal forwarder release
    • Previously released versions can be installed and upgraded to the most current version of Splunk Enterprise/universal forwarder. However, Splunk versions prior to 7.2 are not supported.

Splunk's official repository containing Dockerfiles for building Splunk Enterprise and Universal Forwarder images using containerization technology can be found on GitHub: https://github.com/splunk/docker-splunk

Containerized Splunk software prerequisites

At the current time, Splunk software container images only support the Docker runtime engine and requires the following system prerequisites:

  • Linux-based operating system (Debian, CentOS, etc.)
  • Chipset
    • splunk/splunk image supports x86-64 chipsets
    • splunk/universalforwarder image supports both x86-64 and s390x chipsets
  • Kernel version > 4.0
  • Docker engine
    • Docker Enterprise Engine 17.06.2 or later
    • Docker Community Engine 17.06.2 or later
  • overlay2 Docker daemon storage driver

For more details, please see the official supported architectures and platforms for containerized Splunk environments as well as hardware and capacity recommendations.

Deploy Splunk universal forwarder Docker containers

You deploy Splunk universal forwarder inside a Docker container by downloading and launching the required universal forwarder Docker image. The image is an executable package that includes everything you need to run Splunk universal forwarder. A container is a runtime instance of an image.

  1. From a shell prompt, run the following command to download the required universal forwarder image to your local Docker image library.
    docker pull splunk/universalforwarder:latest
  2. Run the downloaded Docker image.
    docker run -d -p 9997:9997 -e "SPLUNK_START_ARGS=--accept-license" -e "SPLUNK_PASSWORD=<password>" --name uf splunk/universalforwarder:latest

    Where <password> is the new password you want to set for the universal forwarder instance. For information on password requirements, see Configure a Splunk password policy in Authentication.conf in Securing Splunk Enterprise.

    -p 9997:9997 exposes the default port of the universal forwarder inside the container to the outside world by mapping it to a port on the local host. In this case, the outside port is also 9997. If port 9997 is occupied by another service on the host, you can use the -p parameter to map the application port to another available port on the host, for example, -p 9998:9997.

    Accept the license agreement with SPLUNK_START_ARGS=--accept-license. This must be explicitly accepted on every splunk/universalforwarder container, otherwise the universal forwarder will not start.

  3. The output of the docker run command is a hash of numbers and letters that represents the container ID of your new universal forwarder deployment. Run the following command with the container ID to display the status of the container.
    docker ps -a -f id=<container_id>
  4. When the status of the container becomes healthy, it means the container is already up and running.

Administer Splunk universal forwarder Docker containers

You can use the following Docker commands to manage containers.

  • To see a list of example commands and environment variables for running a forwarder in a container, run:
    docker run -it splunk/universalforwarder help
  • To see a list of your running containers, run:
    docker ps
  • To stop your forwarder container, run:
    docker container stop <container_id>
  • To restart a stopped container, run:
    docker container start <container_id>
  • To access a running forwarder container to perform administrative tasks, such as modifying configuration files, run:
    docker exec -it <container_id> bash

To learn more about Splunk Enterprise and Docker commands, see the documentation on GitHub for Splunk-Docker.

Last modified on 21 January, 2020
Make a universal forwarder part of a host image
Start the universal forwarder

This documentation applies to the following versions of Splunk® Universal Forwarder: 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.1.0

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters