Splunk® Universal Forwarder

Forwarder Manual

This documentation does not apply to the most recent version of Splunk® Universal Forwarder. For documentation on the most recent version, go to the latest release.

Deploy and run a universal forwarder inside a Docker container

Using Docker containers helps you quickly deploy an instance and gain hands-on experience with Splunk software.

The official repository containing Dockerfiles for building Splunk Enterprise and Universal Forwarder images can be found on GitHub for Splunk-Docker.

Containerized Splunk software prerequisites

The list of requirements for Docker and Splunk software is available in the Support Guidelines on the Splunk-Docker GitHub. The requirements include OS architecture, Docker version, and supported Splunk architectures.

Deploy Splunk universal forwarder Docker containers

You can deploy Splunk universal forwarder inside a Docker container by downloading and launching the required universal forwarder Docker image. The image is an executable package that includes everything you need to run Splunk universal forwarder. For Splunk Enterprise instructions, see Deploy and run Splunk Enterprise inside a Docker container in the Installation Manual.

  1. From a shell prompt, run the following command to download the required universal forwarder image to your local Docker image library.
    docker pull splunk/universalforwarder:latest
    
  2. Run the downloaded Docker image.
    docker run -d -p 9997:9997 -e SPLUNK_START_ARGS='--accept-license' -e SPLUNK_PASSWORD='<password>' --name uf splunk/universalforwarder:latest
    
    • The port definition -p <host_port>:<container_port> will expose a port used by the containerized application to the outside network by mapping it to port on the local host. In the example above, the SplunkTCP port 9997 is mapped to the host port 9997. If a host port is already occupied by another service, you can use the -p parameter to re-map a port to another open port on the host, example: -p 9999:9997. You can later verify the ports in use by running docker port <container_id>
    • Accept the license agreement with SPLUNK_START_ARGS=--accept-license. This must be explicitly accepted on every splunk/universalforwarder container, otherwise the universal forwarder will not start.
  3. The output of the docker run command is a hash of numbers and letters that represents the container ID of your new forwarder instance. Run the following command with the container ID to display the status of the container.
    docker ps -a -f id=<container_id>
    

Administer Splunk universal forwarder Docker containers

You can use the following Docker commands to manage containers.

  • To see a list of example commands and environment variables for running a forwarder in a container, run:
    docker run -it splunk/universalforwarder help
    
  • To see a list of your running containers, run:
    docker ps
  • To stop your forwarder container, run:
    docker container stop <container_id>
    
  • To restart a stopped container, run:
    docker container start <container_id>
    
  • To access a running forwarder container to perform administrative tasks, such as modifying configuration files, run:
    docker exec -it <container_id> bash
    

To learn more about Splunk Enterprise and Docker commands, see the documentation on GitHub for Splunk-Docker.

Last modified on 01 December, 2021
Make a universal forwarder part of a host image   Start the universal forwarder

This documentation applies to the following versions of Splunk® Universal Forwarder: 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters