In order to run this Docker image, you must meet the official System requirements. Failure to do so will render your deployment in an unsupported state. See Support violation for details.
Run the following commands to pull the latest images down from Docker Hub and into your local environment:
$ docker pull splunk/splunk:latest
$ docker pull splunk/universalforwarder:latest
This section explains how to start basic standalone and distributed deployments. See the Examples page for instructions on creating additional types of deployments.
Start a single containerized instance of Splunk Enterprise with the command below, replacing <password> with a password string that conforms to the Splunk Enterprise password requirements.
$ docker run -p 8000:8000 -e "SPLUNK_PASSWORD=<password>" \
-e "SPLUNK_START_ARGS=--accept-license" \
-it splunk/splunk:latest
This command does the following:
splunk/splunk:latest image.8000 port to the container’s 8000 portSPLUNK_PASSWORD.SPLUNK_START_ARGS=--accept-license. This agreement must be explicitly accepted on every container, or Splunk Enterprise doesn’t start.You successfully created a standalone deployment with docker-splunk!
After the container starts up, you can access Splunk Web at http://localhost:8000 with admin:<password>.
Start a Splunk Universal Forwarder running in a container to stream logs to a Splunk Enterprise standalone instance, also running in a container.
First, create a network to enable communication between each of the services.
$ docker network create --driver bridge --attachable skynet
Start a single, standalone instance of Splunk Enterprise in the network created above, replacing <password> with a password string that conforms to the Splunk Enterprise password requirements.
$ docker run --network skynet --name so1 --hostname so1 -p 8000:8000 \
-e "SPLUNK_PASSWORD=<password>" \
-e "SPLUNK_START_ARGS=--accept-license" \
-it splunk/splunk:latest
This command does the following:
splunk/splunk:latest image.skynet.so1.8000 port to the container’s 8000 portSPLUNK_PASSWORD.SPLUNK_START_ARGS=--accept-license. This agreement must be explicitly accepted on every container, or Splunk Enterprise doesn’t start.After the container starts up successfully, you can access Splunk Web at http://localhost:8000 with admin:<password>.
Start a single, standalone instance of Splunk Universal Forwarder in the network created above, replacing <password> with a password string that conforms to the Splunk Enterprise password requirements.
$ docker run --network skynet --name uf1 --hostname uf1 \
-e "SPLUNK_PASSWORD=<password>" \
-e "SPLUNK_START_ARGS=--accept-license" \
-e "SPLUNK_STANDALONE_URL=so1" \
-it splunk/universalforwarder:latest
This command does the following:
splunk/universalforwarder:latest image.skynet.uf1.SPLUNK_PASSWORD.SPLUNK_START_ARGS=--accept-license. This agreement must be explicitly accepted on every container, otherwise Splunk Enterprise doesn’t start.so1.NOTE: The Splunk Universal Forwarder does not have a web interface. If you require access to the Splunk installation in this particular container, refer to the REST API documentation or use docker exec to access the Splunk CLI.
You successfully created a distributed deployment with docker-splunk!
If everything went smoothly, you can log in to your Splunk Enterprise instance at http://localhost:8000, and then run a search to confirm the logs are available. For example, a query such as index=_internal should return all the internal Splunk logs for both host=so1 and host=uf1.