Skip to content
Provides docker-compose template for Kafka monitoring with Splunk
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


Copyright 2018-2019 Guilhem Marchand

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.


This repository contains docker-compose templates that will create ouf of the box a full Kafka Confluent OSS environment in Docker.

Its purpose is first of all to qualify, test and demonstrate the monitoring of a full Kafka/Confluent environment with Splunk.

The following diagram represents the metrics data collection:


Two docker-compose.yml templates are provided in the following directories:



The first template suffixed by "_ondocker" will run a Splunk standalone instance in Docker, while the second will attempt to send metrics to your local Splunk instance. (using the dockerhost container to communicate with your local guest machine)

In the case of the template running Splunk on Docker, the setup of Splunk (index definition, HEC token creation...) is entirely automatic.

In both cases, the target for HEC (your Splunk server running the HTTP Event Collector) and the token are variables loaded as environment variables in the Telegraf containers:

      SPLUNK_HEC_URL: "https://dockerhost:8088"
      SPLUNK_HEC_TOKEN: "205d43f1-2a31-4e60-a8b3-327eda49944a"

Shall you want to send the metrics to a third party destination and/or using a different token value, modify these values in the docker-compose.yml file.

Included containers

  • Zookeeper cluster (3 nodes)
  • Kafka broker cluster (3 nodes)
  • Kafka connect cluster (3 nodes)
  • Confluent schema-registry
  • Confluent kafka-rest
  • Confluent ksql-server
  • Kafka LinkedIn SLA monitor container
  • Telegraf container polling and sending to your Splunk metric store
  • Yahoo Kafka Manager (port exposed to localhost:9000)
  • Kafka Burrow Consumer lag Monitoring (port exposed to localhost:9001, login: admin, password: ch@ngeM3)

In addition, these templates will run a few containers that will create a Kafka stream from Confluent example repositories, to create a consumer we can monitor and generate some activities in Kafka.


To be able to use these templates, you need:

  • docker
  • docker-compose

Several ports are exposed to the localhost, and need to be available on the machine:

  • 12181 / 22181 / 32181 (Zookeeper)
  • 19092 / 29092 / 39092 (Kafka Brokers)
  • 18082 / 28082 / 38082 (Kafka Connect)
  • 18081 (schema-registry)
  • 18088 (ksql-server)
  • 18089 (kafka-rest)
  • 9000 (kafka-manager)
  • 9002 (Burrow)
  • 7070 (kafka stream sample app)
  • 8000 / 8089 / 8088 / 9997 (Splunk, only if using _ondocker template)

Some resources (CPU/Memory)... this runs perfectly fine on my laptop... (but consumes lots of battery yes...)

Using the templates

Start by cloning the repository:

git clone

Then to start a template:

cd template_docker_splunk_ondocker

Docker will download any image required, and the start the full environment.

Splunk requires around 30 seconds to start, you can verify the instance state:

docker-compose logs splunk

Once Splunk has been started, you can access to Splunk Web:


  • login: admin
  • password: ch@ngeM3

Verify metrics ingestion in Splunk:

| mcatalog values(metric_name) as metric_name, values(_dims) where index=telegraf_kafka

Metrics Workspace application

Install the Metrics Workspace application in Splunk:


The Metrics Workspace application is not mandatory at all, but it very useful and convenient to explore and visualize available metrics in a friendly and efficient UI.

Kafka Smart Monitoring application

Once your environment is up, download the Kafka Monitoring Application, install from Splunk Web UI, ideally restart Splunk via the UI and appreciate a fully ready, up and running monitoring solution.


Transfer files between host and the Splunk container

If you are using the _ondocker template, you can easily make files available to the container:

You can use the splunk/container_share directory to share files with the splunk docker container (in /opt/splunk/container_share) for ease.

This is specially useful if you want to run ITSI.

ITSI module for Kafka Smart Monitoring

If you deployed ITSI, or if you are running ITSI on the Splunk target instance, download and install the Kafka module:

Restart Splunk after the installation, you can start creating the entities using the builtin entities discovery, and create services with the builtin service templaces.


To destroy the environment:

Finally, you can totally destroy the environment:


What about event logging?

This repository does not manage the indexing of event logs from the different components, the aspects are entirely taken in charge by the Kafka Smart Monitoring application, and the ITSI Module for Kafka Smart Monitoring.

See for more information:

Traditional dedicated, Kubernetes, real-world configuration and Production ready

The purpose of these templates is to demonstrate and/or build a easy quick lab in a minute.

Real World instructions and templates for a Production ready deployment, be in Kubernetes or traditional dedicated servers, are covered in the following repository:

You can’t perform that action at this time.