Splunk Enterprise Docker Image
Demo of Splunk Image with Docker App running in Docker container
(Note this image is not yet available in a public docker repo due to export compliance guidelines — we are working to resolve and plan to make it available in Docker Store in October.)
- (Optional) Sign up for a Docker ID at Docker Hub.
- Signup for a GitHub Account.
- You will need an IDE on your system so you can run make and git commands.
- Install Docker Toolbox (Mac OS below)
- Open Docker QuickStart Terminal
- login to dockerhub account (command: docker login) - you will then be prompted to enter your credentials
- Clone Github Repo
- In Terminal enter command: git clone https://github.com/splunk/docker-gettingstarted-conf2016.git
- you will be prompted to login to github - you will be prompted to enter credentials
- Access the github directory that was just created
- Enter the following commands and let each run
- make clean [Note: you will get Error 1 (ignored) if running first time]
- make step0
- make step1
- make step2
- make step3
- make step4
-
Access your Splunk Enterprise web UI, http://127.0.0.1:8000/
-
Try a sample field extraction for the sample app
-
Give yourself read access to the new Splunk indexes
- Go to Settings > Access Controls > Roles > Admin
- Indexes searched by default
- Add mysql_logs
- SAVE
-
Go to the search app
-
search sourcetype=“fake-data"
-
Select Extract new fields
-
select event click next
-
select method regular expression ** extract (email portion) label as “Email" * extract (ip address as) “IP_Address" * extract ID portion as “ID"
- Demonstrate how you can use the Splunk logging driver, https://docs.docker.com/engine/admin/logging/splunk/
-
Go back to your terminal window and enter command:
-
make step5
-
Look at the Splunk logging driver data from the Splunk docker overview dashboard, http://127.0.0.1:8000/en-US/app/app-docker/docker_overview
Showing the Docker Overview screen provides good insight into a breadth of items you can show.
More information about the Docker images and how to pull and run them is available in the README for each image.
If you have questions or need support, you can:
- Post a question to Splunk Answers
- Join the Splunk Slack channel
- Visit the #splunk channel on EFNet Internet Relay Chat
- Send an email to [email protected]