Docker and Splunk

Command Reference Cheat Sheet

Remember when IT was fun? As I get older, it seems that I have that fun feeling less often, but with Docker, I seem to get that feeling back every now and then. The following cheat sheet is a quick and dirty guide to get you started with Splunk on Docker.

• Click here to access this cheat sheet through Joomag, in the “Joomag Viewer”.
• For a PDF Download, click here to access from PDF Archive

Start With The Basics

If you have not installed Docker as yet, the best place to start will be the following url as it will get you started and provide you with the specific install instructions for your environment. https://www.docker.com/get-docker

Display the Version of Docker running on your system
docker — version

Run the basic hello-world Docker service.
docker run hello-world

Search for a Docker image or type that you need from Docker Hub. Replace <image_name> with the image you are looking for. Eg; splunk
docker search <image_name>

Pull the latest stable version of your required image.
docker pull <image_name>:latest

Display all running Docker containers on your system.
docker ps

Display all running and stopped Docker containers.
docker ps -a

View all Docker images available on your system.
docker images

Start Up Splunk On Docker

Running Splunk as a Docker container with environment variables set. Below we accept the Splunk license, set our user as root and map our port to 8000. Once the command below has run, we then go to our web browser on our system and access the interface with http://localhost:8000
docker run -d -e “SPLUNK_START_ARGS= — accept-license” -e “SPLUNK_USER=root” -p 8000:8000 splunk/splunk

Show all relevant information for a Docker container.
docker inspect <container_id>

View the logs of a Docker container.
docker logs <container_id>

Show the history of a Docker image.
docker history <image_name>

Access the shell of a running container.
docker attach <container_id>

Perform the touch command on a running container using exec.
docker exec -d <container_id> touch /tmp/test.txt

Access the bash shell of a running container.
docker exec -it <container_id> /bin/bash

Things Get Interesting With Dockerfiles

With Dockerfiles we can now start to set up all the details we had in place in our command line and place it in a file, that we can then build and run our image from.

Below is an example Dockerfile for a Splunk container.

FROM splunk/splunk:latest
MAINTAINER vince.sesto@gmail.com

# Set up environment variables
ENV SPLUNK_START_ARGS — accept-license
ENV SPLUNK_USER root

# Run touch .ui_login in the same directory as your Dockerfile
# Copy ui_login to stop the first time login screen
COPY .ui_login /opt/splunk/etc/.ui_login

# If you have a Splunk App ready to be installed
COPY mood_radiator/ /opt/splunk/etc/apps/mood_radiator/

# In case we need to install anything extra
RUN apt-get update && apt-get install -y vim

Build your image from a Dockerfile and give it a name.
docker build -t <name> .

Run a Docker container in detached mode exposing port 8000.
docker run -d -p 8000:8000 <name>

If you need to clean up old containers and images, you can run the following:
docker kill $(docker ps -q); docker rm -f $(docker ps -a -q) docker rmi -f $(docker images -q)

For more information on using Splunk and Docker, can be found in the book “Beginning Splunk With Docker”.

Moving To Docker Compose

The next step to take is to start using Docker Compose. With Docker Compose, you can use a simple compose file to create numerous networked containers and images. The code below is a simple Splunk server and can be created by opening your text editor and saving the file as “docker-compose.yml”.

version: ‘3’
services:
# Note this is a YAML file, each dot(.) represents a space
..splunkserver:
….image: splunk/splunk
….hostname: splunkserver
….environment:
……SPLUNK_START_ARGS: — accept-license — answer-yes
……SPLUNK_ENABLE_LISTEN: 9997
……SPLUNK_USER: root
….ports:
……- “8000:8000”
……-“9997:9997”
……-“8088:8088”

Check the version of Docker Compose you are using.
docker-compose — version

Use Docker Compose to build and run your compose file in detached mode.
docker-compose up -d

Found this post useful? Kindly tap the ❤ button below! :)

About The Author

Vince has worked with Splunk for over 5 years, developing apps and reporting applications around Splunk, and now works hard to advocate its success. He has worked as a system engineer in big data companies and development departments, where he has regularly supported, built, and developed with Splunk. He has now published his first book via Packt Publishing — Learning Splunk Web Framework.