Splunk® Enterprise

Installation Manual

Download manual as PDF

Download topic as PDF

Deploy and run Splunk Enterprise inside a Docker container

If you are a first-time user, using Docker containers with Splunk Enterprise helps you quickly deploy and gain hands-on experience with Splunk software.

Containerizing Splunk software provides flexibility and scalability to your Splunk environment:

  • Deploy a single-instance Splunk Enterprise or a Universal Forwarder to run on your laptop or desktop
  • Use an orchestrator tool to deploy and manage a Splunk Enterprise or a Universal Forwarder instance

The official repository containing Dockerfiles for building Splunk Enterprise and Universal Forwarder images using containerization technology can be found on GitHub for Splunk-Docker.

Containerized Splunk software prerequisites

We offer support for single-instance Splunk Enterprise and Universal Forwarder containers that run on the following environments:

  • Splunk software container images only support the Docker runtime engine
  • We do not support Docker service-level or stack-level configurations, such as swarm clusters or container orchestration.
  • We do not support complex Splunk Enterprise topologies, including clustering and distributed deployments using container images.
Operating system Architecture Container environment Enterprise License Free License Trial License Universal Forwarder package
Linux, 4.x kernel version x86 (64-bit) Docker Enterprise or Community Edition 17.06.2 and higher X X X X
z/Linux, 4.x kernel version s390x (64-bit) Docker Enterprise or Community Edition 17.06.2 and higher X

For help with container-based deployments of Splunk Enterprise and the Universal Forwarder on unsupported operating systems, ask the open source community at GitHub for Splunk-Docker.

Deploy Splunk Enterprise Docker containers

You can deploy Splunk Enterprise inside a Docker container by downloading and launching the required Splunk Enterprise image in Docker. The image is an executable package that includes everything you need to run Splunk Enterprise. For universal forwarder instructions, see Deploy and run a universal forwarder inside a Docker container in the Forwarder Manual.

  1. From a shell prompt, run the following command to download the required Splunk Enterprise image to your local Docker image library.
    docker pull splunk/splunk:latest
  2. Run the downloaded Docker image.
    docker run -d -p 8000:8000 -e 'SPLUNK_START_ARGS=--accept-license' -e 'SPLUNK_PASSWORD=<password>' splunk/splunk:latest
    • The port definition -p <host_port>:<container_port> will expose a port used by the containerized application to the outside network by mapping it to port on the local host. In the example above, the SplunkWeb port 8000 is mapped to the host port 8000. If a host port is already occupied by another service, you can use the -p parameter to re-map a port to another open port on the host, example: -p 9000:8000. You can later verify the ports in use by running docker port <container_id>
  3. The output of the docker run command is a hash of numbers and letters that represents the container ID of your new Splunk Enterprise instance. Run the following command with the container ID to display the status of the container.
    docker ps -a -f id=<container_id>
    • To verify the container ID, run docker ps to review the container ID, status, and port mappings of all running containers.
  4. Open an web browser on the host and access SplunkWeb inside the container using the address:
  5. Log in to Splunk Enterprise inside the container using the username admin and the password you set when you ran the Docker image.

Administer Splunk Enterprise Docker containers

You can use the following Docker commands to manage containers.

  • To see a list of example commands and environment variables for running Splunk Enterprise in a container, run:
    docker run -it splunk/splunk help
  • To see a list of your running containers, run:
    docker ps
  • To stop your Splunk Enterprise container, run:
    docker container stop <container_id>
  • To restart a stopped container, run:
    docker container start <container_id>
  • To access a running Splunk Enterprise container to perform administrative tasks, such as modifying configuration files, run:
    docker exec -it <container_id> bash

To learn more about Splunk Enterprise and Docker commands, see the documentation on GitHub for Splunk-Docker.

Last modified on 24 February, 2020
Run Splunk Enterprise as a different or non-root user
Start Splunk Enterprise for the first time

This documentation applies to the following versions of Splunk® Enterprise: 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.1.0

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters