This project lets you stand up a Splunk instance in Docker on a quick and dirty basis. It is based on Splunk's official Dockerfile
Here are some ways in which to run this container--note that in all instances Splunk will
be listening on https://localhost:8000/, so change the first argument for
-p if you want
a different port.
Most Common Uses:
If you are having a system issue, and want to ingest your logs, persist the ingested data between Splunk runs, and persist created dashboards as well:
docker run -p 8000:8000 -e SPLUNK_PASSWORD=password -v /var/log:/logs -v $(pwd)/data:/data -v $(pwd)/app:/app -d dmuth1/splunk-lab
If you want to do data analytics on files in the logs/ directory, and persist the ingested data between Splunk runs, and persist created dashboards as well:
docker run -p 8000:8000 -e SPLUNK_PASSWORD=password -v $(pwd)/logs:/logs -v $(pwd)/data:/data -v $(pwd)/app:/app -d dmuth1/splunk-lab
Once Splunk is running, you can log in with the
admin user and password you specified,
and doing a query for
index=main should show your logs.
BTW, your password will be sanity checked. Don't use
password as your password. ;-)
Less Common Uses
Persist data between runs:
docker run -p 8000:8000 -v $(pwd)/data:/data dmuth1/splunk-lab
Persist data, mount current directory as
/mnt, and spawn interactive shell:
docker run -p 8000:8000 -v $(pwd)/data:/data -v $(pwd):/mnt -it dmuth1/splunk-lab bash
Persist data and ingest mulitple directories:
docker run -p 8000:8000 -v $(pwd)/data:/data -v /var/log:/logs/syslog -v /opt/log:/logs/opt/ dmuth1/splunk-lab
A Word About Security
HTTPS is turned on by default. Passwords such as
12345 are not permitted.
Please, use a strong password if you are deploying this on a public-facing machine.
Does this work on Macs?
Sure does! I built this on a Mac. :-)
Run the first line to stand up a development instance, and the subsequent lines when you want to push up changes to Docker Hub:
docker build . -t splunk-lab && docker run -p 8000:8000 -v $(pwd):/mnt -v /var/log:/logs -it splunk-lab bash
Development with an Nginx instance feeding logs
If you'd like to spin up Splunk Lab, but also have a copy of Nginx running on http://localhost:9001, try running this command:
docker-compose -f ./devel/docker-compose.yml up
Nginx's logs will be written to the same directory that Splunk Lab ingests logs from, so queries for
index=main should start to show results almost immediately. Furthermore, a client is spun up
which will run a GET request against Nginx once every 10 seconds, which will cause logs to be written
and ingested into the
main Index almost immediately.
Run this when you're ready to push up changes to Docker Hub:
docker build . -t splunk-lab docker tag splunk-lab dmuth1/splunk-lab && docker push dmuth1/splunk-lab