All Apps and Add-ons

Running Splunk in Docker trying to connect to Heroku

New Member

I followed steps in "Heroku App for Splunk"...

  • I'm running Docker Splunk
  • Turned on logging (on Heroku)
  • Installed App (Heroku App for Splunk)
  • Switched on port:514 (within Splunk)
  • Ran:
  • heroku drains:add syslog://YOUR_INDEXER'S_IP:PORT_FOR_INPUT --app YOUR_APP_NAME
  • No errors, but no data is being received by Splunk.

The question that I have is that I am using the IP address of the docker container (from "docker inspect").
Do I need to open port 514 on the Docker container?
Any help or insight is appreciated!

0 Karma


You'll also need to ensure that IP Forwarding is enabled on the OS in order to allow Docker to do what you are attempting.

I don't know Mac OS, but the Linux equivalent is set via sysctl:

net.ipv4.conf.all.forwarding = 1
net.ipv6.conf.all.forwarding = 1

Without those Docker will never be able to communicate with the outside world.

An upvote would be appreciated and Accept Solution if it helps!
0 Karma

Splunk Employee
Splunk Employee

Hi dkillian!

Where are you running docker, also what version/flavor?

You will need to expose the port to the host, so that the host machine running docker can bridge or route the external traffic to the container.

Start here:

- MattyMo
0 Karma

New Member

Hi mmodestino!

First, thanks for your response! I realized I was a bit too hasty and didn't really provide a lot of info.

- Version: 18.03.1
- System: Macbook Pro / macOS 10.13.4
- Image: splunk/splunk
- Run command: docker run -d -e "SPLUNK_START_ARGS=--accept-license" -e "SPLUNK_USER=root" -p "8000:8000" -p "514:514" splunk/splunk

I am attempting to receive a log stream from Heroku (via a log drain, with a target IP and port, which I am using my Mac's current IP address). Splunk listens on Port 514. I know I've setup the drain correctly on the Heroku side. I've got nettop running on my Mac and I see data coming in.

It seems like I need to bridge into the container. So I must have setup the run command incorrectly. Not sure what to do...should I just open all of the ports to the container? Can I do that on a running container?

I appreciate your help!!


0 Karma

Splunk Employee
Splunk Employee

when you run sudo lsof -i -n -P | grep UDP

Do you see 514 being served by your mac??

I will try this set up as soon as I can and try and provide the docker config.

- MattyMo
0 Karma
Get Updates on the Splunk Community!

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...

There's No Place Like Chrome and the Splunk Platform

WATCH NOW!Malware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

Customer Experience | Join the Customer Advisory Board!

Are you ready to take your Splunk journey to the next level? 🚀 We invite you to join our elite squad ...