Deploy and run Splunk Enterprise inside a Docker container
Run Splunk Enterprise inside a Docker container to quickly deploy an instance and gain hands-on experience with Splunk software. The official repository containing Dockerfiles for building Splunk Enterprise and Universal Forwarder images can be found on GitHub for Splunk-Docker.
Container orchestration for Splunk Enterprise
For container orchestration, the Splunk Operator for Kubernetes on GitHub enables you to quickly and easily deploy Splunk Enterprise on your choice of private or public cloud provider. The operator simplifies scaling and management of Splunk Enterprise by automating workflows while implementing Kubernetes best practices.
See the splunk-operator documentation on GitHub for more information.
Containerized Splunk software prerequisites
The list of requirements for Docker and Splunk software is available in the Support Guidelines on the Splunk-Docker GitHub. The requirements include OS architecture, Docker version, and supported Splunk architectures.
Deploy Splunk Enterprise Docker containers
You can deploy Splunk Enterprise inside a Docker container by downloading and launching the required Splunk Enterprise image in Docker. The image is an executable package that includes everything you need to run Splunk Enterprise. For universal forwarder instructions, see
- From a shell prompt, run the following command to download the required Splunk Enterprise image to your local Docker image library.
docker pull splunk/splunk:latest
- Run the downloaded Docker image.
docker run -d -p 8000:8000 -e SPLUNK_START_ARGS='--accept-license' -e SPLUNK_PASSWORD='<password>' splunk/splunk:latest
SPLUNK_PASSWORD='<password>'parameter sets the login password for the admin user. There are minimum requirements when setting passwords, which can change with different versions of Splunk Enterprise. To review the minimum password requirements, see Configure a Splunk password policy in Authentication.conf in the Securing the Splunk Platform manual.
- The port definition
-p <host_port>:<container_port>will expose a port used by the containerized application to the outside network by mapping it to port on the local host. In the example above, the SplunkWeb port 8000 is mapped to the host port 8000. If a host port is already occupied by another service, you can use the
-pparameter to re-map a port to another open port on the host, example:
-p 9000:8000. You can later verify the ports in use by running
docker port <container_id>
- The output of the
docker runcommand is a hash of numbers and letters that represents the container ID of your new Splunk Enterprise instance. Run the following command with the container ID to display the status of the container.
docker ps -a -f id=<container_id>
- To verify the container ID, run
docker psto review the container ID, status, and port mappings of all running containers.
adminand the password you set when you ran the Docker image.
Administer Splunk Enterprise Docker containers
You can use the following Docker commands to manage containers.
- To see a list of example commands and environment variables for running Splunk Enterprise in a container, run:
docker run -it splunk/splunk help
- To see a list of your running containers, run:
- To stop your Splunk Enterprise container, run:
docker container stop <container_id>
- To restart a stopped container, run:
docker container start <container_id>
- To access a running Splunk Enterprise container to perform administrative tasks, such as modifying configuration files, run:
docker exec -it <container_id> bash
To learn more about Splunk Enterprise and Docker commands, see the documentation on GitHub for Splunk-Docker.
Now that you have Splunk Enterprise installed:
- For ideas on what to do, see What happens next?.
Run Splunk Enterprise as a different or non-root user
Start Splunk Enterprise for the first time
This documentation applies to the following versions of Splunk® Enterprise: 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5
Feedback submitted, thanks!