Skip to content

Home

Jump to bottom
christian edited this page Mar 12, 2022 · 1 revision

Splunk Docker Home Lab

Splunk lab made simple.

Splunk is a powerful tool. With a free license or a Developer License, you can support some pretty neat projects and training. Docker is a great way to run Splunk, particularly for developing new apps with manual data uploads. However, for a home lab or range, you may wish for persistent storage and a uf for various collections purposes. This is a simple project to perform just that.

Podman

To run Splunk on Podman:

  1. Make the run-podman shell script executable.

chmod +x ./run-podman.sh

  1. Run the run-podman shell script.

./run-podman.sh

  1. Verify that the container is running in podman.

podman ps

Docker

To run Splunk on Docker:

  1. Make the run-docker shell script executable.

chmod +x ./run-docker.sh

  1. Run the run-docker shell script.

./run-docker.sh

  1. Verify that the container is running in docker.

docker ps

Portainer

To run Splunk from Portainer:

  1. Navigate to Stacks and select Add stack image

  2. Select git Respository for the Build method

  3. Use the following options: Git repositorY
    Repository URL: https://github.com/christian-taillon/splunk-docker

Repository reference: refs/heads/main

Compose path: docker-compose.yml

image

  1. Add a password in the environment variables

Click Add an environment variable

name: password value: <strong-password>

image

  1. Deploy stack by selecting Deploy the stack

Developer License

For those working at a company that is a Splunk Customer who wish to contribute to Splunk's App store Splunkbase.

Request a Developer License here

Free License

To switch to a Free License via the web interface:

  1. Log in to Splunk Web as a user with admin privileges and navigate to Manager > License.
  2. Review the text below the License and usage area, find the switch to a free license link, and click it. A login page is displayed.
  3. Select Switch to Free License and click Continue.
  4. You are prompted to reboot.

To switch to a Free License via the command line:

Copy the $SPLUNK_HOME/etc/splunk-free.license to $SPLUNK_HOME/etc/splunk.license Restart Splunk (./splunk restart)

Upgrade Container's Images

To upgrade, pull down the latest images. Remove the containers, and re-run docker-compose or rebuild the stack.

  1. Run docker pull splunk/splunk:latest and docker pull splunk/universalforwarder:latest
  2. Remove existing containers:
    docker ps
    Identify the container ids for so1 and uf1
    docker stop [container_id]
    docker rm [container_id]
  3. Rebuild the stack by re-runing the deploy script or rebuilding example: docker-compose up -d
Clone this wiki locally