Jump to content
andrew207

[Support] atunnecliffe - Splunk

11 posts in this topic Last Reply

Recommended Posts

Overview: Docker image for Splunk. Allows arbitrary version (currently defaults to 7.3.0) / auto-install apps / more.

Application: Splunk https://www.splunk.com/

Docker Hub: https://hub.docker.com/r/atunnecliffe/splunk

GitHub: https://github.com/andrew207/splunk

Documentation: https://github.com/andrew207/splunk/blob/master/README.md // https://docs.splunk.com/Documentation/Splunk

 

Any issues let me know here.

Share this post


Link to post

hi!
as a splunk admin, thanks a lot for your work, was on the edge to install it on a full centOS VM

will let you know if i need smthg

Share this post


Link to post

This image doesn't seem to be working fully.

 

If you change or Add another Path, Port, Variable, Label or Device or set an IP for the container the whole image gets reset back to factory settings.

Share this post


Link to post
Posted (edited)

Queueiz, if you want full persistence of your entire install you'll need to add a volume for the entire /opt/splunk directory. I haven't tested this, I may need to patch the installer script so it checks for an existing installation in /opt/splunk/ rather than just an existing installer file.

 

You can stop/start the container all you want but if you rebuild it you will lose config by default (by design, in a perhaps misguided attempt to follow Splunk best practice), the container will only persist your indexed data if you have created a volume for /opt/splunk/var.

 

--- edit:

@queueiz

I just tried to properly configure a volume for /opt/splunk for a full persistent install but Splunk started throwing some very obscure errors. I'll look further into this, perhaps I'll try to configure a persistent mount for the config in /opt/splunk/etc alongside indexed data in /opt/splunk/var, but I'll probably have to leave the rest of the application to be installed on every container rebuild.

 

Feel free to try swapping to the dockerhub tag "fullpersist" (i.e. in unraid set Repository to "atunnecliffe/splunk:fullpersist"), removing any /opt/splunk/var volume and adding an /opt/splunk volume.

Edited by andrew207
new info

Share this post


Link to post

I tried just that and it seems to be working better now. 

 

Thank you.

Share this post


Link to post
Posted (edited)
On 7/7/2019 at 8:23 AM, queueiz said:

I tried just that and it seems to be working better now. 

 

Thank you.

 

@queueizCan you be more specific? What did you try exaclty to get this working? Thanks!

Edited by GHunter

Share this post


Link to post

I too would like to know what was changed to make this work as a persistent docker.

Share this post


Link to post
Posted (edited)

If you want a fully persistent install, for some reason Splunk throws some pretty odd errors. They don't seem to hinder functionality) so if you're cool ignoring them then you can do the following @wedge22 @GHunter

 

Just add a volume for /opt/splunk/etc.

 

/opt/splunk/etc directory stores all of your customisation. By default we already have a volume for /opt/splunk/var, the directory that stores all indexed data; so with these two your install should feel fully persistent.

Edited by andrew207

Share this post


Link to post

Thanks for the reply @andrew207 I have tried to make changes but as of this morning the docker is no longer working for me, even from a clean install.

 

2069281820_splunkdockererrors.PNG.af8503de92110c4437587f82b5946fb7.PNG

Share this post


Link to post
Posted (edited)

Hey @wedge22 that one may be due to a bad download -- doesn't happen on my end on UnRAID or on Win 10 hypervisors.

 

In an attempt to make this answer a bit more useful, here's a screenshot showing my container config, change being the added "App Data" volume:

image.thumb.png.266f97aa19947af4c8a2df87f35f89aa.png

Edited by andrew207
add more info

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.