Splunk® Enterprise

Installation Manual

Download manual as PDF

Download topic as PDF

Deploy and run Splunk Enterprise inside a Docker container

If you are a first-time Splunk user, Splunk's Docker containers for Splunk Enterprise and universal forwarder helps you quickly deploy and gain hands-on experience with the Splunk software, while still allowing for complex deployments in the future.

Containerized Splunk software provides the following flexibility and scalability to your Splunk environment:

  • Deployment of Splunk Enterprise and universal forwarder that can be run on your laptop or desktop, or pushed to a large orchestrator
  • Support for multiple Splunk Enterprise topologies including standalone server and distributed deployments
  • Automatic installation of all upcoming versions of Splunk Enterprise and universal forwarder (beginning with version 7.2)
    • Defaults to the latest official Splunk Enterprise/universal forwarder release
    • Previously released versions can be installed and upgraded to the most current version of Splunk Enterprise/universal forwarder. However, Splunk versions prior to 7.2 are not supported.

Splunk's official repository containing Dockerfiles for building Splunk Enterprise and Universal Forwarder images using containerization technology can be found on GitHub: https://github.com/splunk/docker-splunk

Containerized Splunk software prerequisites

At the current time, Splunk software container images only support the Docker runtime engine and requires the following system prerequisites:

  • Linux-based operating system (Debian, CentOS, etc.)
  • Chipset
    • splunk/splunk image supports x86-64 chipsets
    • splunk/universalforwarder image supports both x86-64 and s390x chipsets
  • Kernel version > 4.0
  • Docker engine
    • Docker Enterprise Engine 17.06.2 or later
    • Docker Community Engine 17.06.2 or later
  • overlay2 Docker daemon storage driver

For more details, please see the official supported architectures and platforms for containerized Splunk environments as well as hardware and capacity recommendations.

Deploy Splunk Enterprise Docker containers

You deploy Splunk Enterprise inside a Docker container by downloading and launching the required Splunk Enterprise image in Docker. The image is an executable package that includes everything you need to run Splunk Enterprise. A container is a runtime instance of an image.

  1. From a shell prompt, run the following command to download the required Splunk Enterprise image to your local Docker image library.
    docker pull splunk/splunk:latest
    
  2. Run the downloaded Docker image.
    docker run -d -p 8000:8000 -e 'SPLUNK_START_ARGS=--accept-license' -e 'SPLUNK_PASSWORD=<password>' splunk/splunk:latest
    

    Where <password> is the new password you want to set for the Splunk Enterprise instance. For information on password requirements, see Configure a Splunk password policy in Authentication.conf in Securing Splunk Enterprise.

    -p 8000:8000 exposes the default port of Splunk Enterprise inside the container to the outside world by mapping it to a port on the local host. In this case, the outside port is also 8000. If port 8000 is occupied by another service on the host, you can use the -p parameter to map the application port to another available port on the host, for example, -p 9000:8000.

  3. The output of the docker run command is a hash of numbers and letters that represents the container ID of your new Splunk Enterprise deployment. Run the following command with the container ID to display the status of the container.
    docker ps -a -f id=<container_id>
    
  4. When the status of the container becomes healthy, it means the container is already up and running. Open an Internet browser and access Splunk Enterprise inside the container through Splunk Web:
    localhost:8000
    
  5. Log in to Splunk Enterprise inside the container using the username admin and the password you previously set when you ran the Docker image.

To start Splunk Enterprise assuming a specified role in a distributed environment, use the following command to get detailed help information.

docker run -it splunk/splunk help

Administer Splunk Enterprise Docker containers

You can use the following Docker commands to manage containers.

  • To see a list of your running containers with the command docker ps, just as you would on Linux.
  • To stop your Splunk Enterprise container, use the following command.
    docker container stop <container_id>
    
  • To restart a stopped container, use the following command.
    docker container start <container_id>
    
  • To access a running Splunk Enterprise container to perform administrative tasks, such as modifying configuration files, use the following command.
    docker exec -it <container_id> bash
    

To learn more about Docker commands, see the Docker documentation.

PREVIOUS
Run Splunk Enterprise as a different or non-root user
  NEXT
Start Splunk Enterprise for the first time

This documentation applies to the following versions of Splunk® Enterprise: 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.3.0


Comments

Hi Swatishs - yes, to modify .conf files, you need to get into the container using this Docker command:
docker exec -it <container_id> bash
For instructions on how to edit configuratin files, see here: https://docs.splunk.com/Documentation/Splunk/latest/Admin/Howtoeditaconfigurationfile

Hunters splunk, Splunker
April 3, 2019

For modifying the configuration for Splunk running inside a container, do we necessarily have to enter the docker container to modify it using Splunk CLI OR by directly modifying the config files? Is there an alternate way? [I do not want to install a 3rd party app on Splunk]

Swatishs
April 3, 2019

Thanks for pointing out the mistake, Ishan! Fixed in the doc.

Hunters splunk, Splunker
October 22, 2018

In the docker section of this page, it is mentioned as below:

"If port 8000 is occupied by another service on the host, you can use the -p parameter to map the application port to another available port on the host, for example, -p 8000:9000."

However, the host port is mentioned on the left side and container port is mention on the right side. So the correct statement is

"If port 8000 is occupied by another service on the host, you can use the -p parameter to map the application port to another available port on the host, for example, -p 9000:8000."

Ishan splunk, Splunker
October 17, 2018

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters