This repository enables users to build and manage a Splunk Enterprise sandbox on a Local Machine using Docker.
- Clone or download this repository
- Change current working directory to the cloned location
- Example
cd docker-splunk-minion
- Example
- As required, add/edit the conf files in the
sandbox-app
directory - Run:
./minion run
to pull & run the latestsplunk/splunk
docker image- To run a specific Splunk version, run
./minion run [DOCKER_IMAGE_TAG]
[e.g.:./minion run 8.0
]
- To run a specific Splunk version, run
- After starting Splunk, access the web interface using default credentials
admin:changeme
at http://localhost:8000/app/sandbox-app/ - After manually editing the objects via conf files in
sandbox-app
directory,- Restart Splunk using web interface server controls at http://localhost:8000/manager/system/control
- Alternatively, restart the Splunk docker sandbox using
./minion restart
command
- To persistently save the required knowledge objects outside the Splunk docker sandbox, ensure the objects are saved in
sandbox-app
and Sharing permissions are set to App ["This app"] or Global ["All apps"]- See All configurations at http://localhost:8000/manager/sandbox-app/admin/directory
- To stop the Splunk docker sandbox and resume later, run:
./minion stop
and./minion start
respectively - Run:
./minion rm
to remove all indexed data, private objects, and objects saved in other apps - Run:
./minion rmi
to remove the docker image - As required, edit the
SPLUNK_PASSWORD
,DOCKER_IMAGE_TAG
, and other variable values in theminion
script file
./minion [option]
Option | Description | Example |
---|---|---|
run [TAG] | Run the Splunk Image. If no tag is provided, latest tag is used. |
./minion run ./minion run 7.3.5 |
start | Start the Splunk instance on the docker sandbox | ./minion start |
stop | Stop the Splunk instance on the docker sandbox | ./minion stop |
restart | Stop and Start the Splunk instance on the docker sandbox | ./minion restart |
status | Status of the Splunk instance on the docker sandbox | ./minion status |
splunk [command] | Execute a Splunk command | ./minion splunk list monitor ./minion splunk btool inputs list |
shell | Enter the interactive bash shell on the docker container |
./minion shell ./minion bash |
exec [command] | Execute a command on the docker container | ./minion exec tail /opt/splunk/var/log/splunk/splunkd.log |
rm | Remove the docker container | ./minion rm ./minion remove |
rmi [TAG] | Remove the docker image. If no tag is provided, latest tag is used. |
./minion rmi ./minion rmi 7.3.5 |
- https://hub.docker.com/r/splunk/splunk
- https://github.com/splunk/docker-splunk
- https://www.splunk.com/en_us/blog/tips-and-tricks/hands-on-lab-sandboxing-with-splunk-with-docker.html