Deploy and run Splunk Enterprise inside a Docker container
If you are a first-time Splunk user, Splunk's Docker containers for Splunk Enterprise and universal forwarder helps you quickly deploy and gain hands-on experience with the Splunk software, while still allowing for complex deployments in the future.
Containerized Splunk software provides the following flexibility and scalability to your Splunk environment:
- Deployment of Splunk Enterprise and universal forwarder that can be run on your laptop or desktop, or pushed to a large orchestrator
- Support for multiple Splunk Enterprise topologies including standalone server and distributed deployments
- Automatic installation of all upcoming versions of Splunk Enterprise and universal forwarder (beginning with version 7.2)
- Defaults to the latest official Splunk Enterprise/universal forwarder release
- Previously released versions can be installed and upgraded to the most current version of Splunk Enterprise/universal forwarder. However, Splunk versions prior to 7.2 are not supported.
Containerized Splunk software prerequisites
At the current time, Splunk software container images only support the Docker runtime engine and requires the following system prerequisites:
- Linux-based operating system (Debian, CentOS, etc.)
- splunk/splunk image supports x86-64 chipsets
- splunk/universalforwarder image supports both x86-64 and s390x chipsets
- Kernel version > 4.0
- Docker engine
- Docker Enterprise Engine 17.06.2 or later
- Docker Community Engine 17.06.2 or later
- overlay2 Docker daemon storage driver
For more details, please see the official supported architectures and platforms for containerized Splunk environments as well as hardware and capacity recommendations.
Deploy Splunk Enterprise Docker containers
You deploy Splunk Enterprise inside a Docker container by downloading and launching the required Splunk Enterprise image in Docker. The image is an executable package that includes everything you need to run Splunk Enterprise. A container is a runtime instance of an image.
- From a shell prompt, run the following command to download the required Splunk Enterprise image to your local Docker image library.
docker pull splunk/splunk:latest
- Run the downloaded Docker image.
docker run -d -p 8000:8000 -e 'SPLUNK_START_ARGS=--accept-license' -e 'SPLUNK_PASSWORD=<password>' splunk/splunk:latest
<password>is the new password you want to set for the Splunk Enterprise instance. For information on password requirements, see Configure a Splunk password policy in Authentication.conf in Securing Splunk Enterprise.
-p 8000:8000exposes the default port of Splunk Enterprise inside the container to the outside world by mapping it to a port on the local host. In this case, the outside port is also 8000. If port 8000 is occupied by another service on the host, you can use the
-pparameter to map the application port to another available port on the host, for example,
- The output of the
docker runcommand is a hash of numbers and letters that represents the container ID of your new Splunk Enterprise deployment. Run the following command with the container ID to display the status of the container.
docker ps -a -f id=<container_id>
- When the status of the container becomes healthy, it means the container is already up and running. Open an Internet browser and access Splunk Enterprise inside the container through Splunk Web:
- Log in to Splunk Enterprise inside the container using the username
adminand the password you previously set when you ran the Docker image.
To start Splunk Enterprise assuming a specified role in a distributed environment, use the following command to get detailed help information.
docker run -it splunk/splunk help
Administer Splunk Enterprise Docker containers
You can use the following Docker commands to manage containers.
- To see a list of your running containers with the command
docker ps, just as you would on Linux.
- To stop your Splunk Enterprise container, use the following command.
docker container stop <container_id>
- To restart a stopped container, use the following command.
docker container start <container_id>
- To access a running Splunk Enterprise container to perform administrative tasks, such as modifying configuration files, use the following command.
docker exec -it <container_id> bash
To learn more about Docker commands, see the Docker documentation.
Run Splunk Enterprise as a different or non-root user
Start Splunk Enterprise for the first time
This documentation applies to the following versions of Splunk® Enterprise: 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6