docker + splunk 安装

最近要对splunk 的架构快速上手,电脑要装不了VM,只能在docker 上实现,先下载了docker desktop, 发现很好用:

1:打开window10 的power shell, run 下面的命令:

1: create a network:

docker network create --driver bridge --attachable skynet

2: Splunk Enterprise:

$ docker run --network skynet --name so1 --hostname so1 -p 8000:8000  -e "SPLUNK_PASSWORD=<password>" -e "SPLUNK_START_ARGS=--accept-license" -it splunk/splunk:latest

 This command does the following:

  1. Starts a Docker container using the splunk/splunk:latest image.
  2. Launches the container in the formerly-created bridge network skynet.
  3. Names the container and the host as so1.
  4. Exposes a port mapping from the host’s 8000 port to the container’s 8000 port
  5. Specifies a custom SPLUNK_PASSWORD.
  6. Accepts the license agreement with SPLUNK_START_ARGS=--accept-license. This agreement must be explicitly accepted on every container, or Splunk Enterprise doesn’t start.

After the container starts up successfully, you can access Splunk Web at http://localhost:8000 with admin:<password>.

3: Splunk Universal Forwarder

Start a single, standalone instance of Splunk Universal Forwarder in the network created above, replacing <password> with a password string that conforms to the Splunk Enterprise password requirements.

$ docker run --network skynet --name uf1 --hostname uf1 -e "SPLUNK_PASSWORD=<password>"  -e "SPLUNK_START_ARGS=--accept-license" -e "SPLUNK_STANDALONE_URL=so1"  -it splunk/universalforwarder:latest

 This command does the following:

Starts a Docker container using the splunk/universalforwarder:latest image.

  1. Launches the container in the formerly-created bridge network skynet.
  2. Names the container and the host as uf1.
  3. Specifies a custom SPLUNK_PASSWORD.
  4. Accepts the license agreement with SPLUNK_START_ARGS=--accept-license. This agreement must be explicitly accepted on every container, otherwise Splunk Enterprise doesn’t start.
  5. Connects it to the standalone instance created earlier to automatically send logs to so1.

NOTE: The Splunk Universal Forwarder does not have a web interface. If you require access to the Splunk installation in this particular container, refer to the REST API documentation or use docker exec to access the Splunk CLI.

You successfully created a distributed deployment with docker-splunk!

If everything went smoothly, you can log in to your Splunk Enterprise instance at http://localhost:8000, and then run a search to confirm the logs are available. For example, a query such as index=_internal should return all the internal Splunk logs for both host=so1 and host=uf1.

4: 下面看一下docker desktop:

docker + splunk 安装

发现这个splunk enterprise 的 CLI command 的进入docker 内部的terminate 终端,可以进去Linux 环境。

 5: 留下一个问题,就是进入splunk界面,forward mangement 没有发现加进来的uf1 容器。

 但是刚才的forwarder容器 确实已经加进来的:(可以看到是两个host 了)

docker + splunk 安装

 6:参考文献:

Navigation | docker-splunk

上一篇:android tap jacking,如何防止它


下一篇:Splunk中使用mvexpand mvzip将同一行的多值数据拆分成多条数据