Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Getting ERROR while Creating splunk UNIVERSAL FORW...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Getting ERROR while Creating splunk UNIVERSAL FORWARDER using alpine base image
I am trying to create a Splunk universal forwarder image using alpine:3.8 base image.
FROM alpine:3.8
ENV VERSION 6.3.1
ENV BUILD f3e41e4b37b2
ENV SPLUNK_USER=root
ENV SPLUNK_GROUP=root
ENV VERSION 6.3.1
ENV BUILD f3e41e4b37b2
ENV SPLUNK_OUTPUT_SERVER=test:9997
ENV SPLUNK_HOME=/opt/splunkforwarder/
RUN mkdir -p /opt
COPY ./config /tmp/splunk
RUN apk add curl \
&& curl http://download.splunk.com/products/splunk/releases/${VERSION}/universalforwarder/linux/splunkforwar... | tar xvz -C /opt
WORKDIR /opt/splunkforwarder/
# Splunk management port
EXPOSE 8089
# Network Input
EXPOSE 514
VOLUME [ "/opt/splunkforwarder/etc", "/opt/splunkforwarder/var" ]
COPY ./patch-entrypoint.sh /sbin/entrypoint.sh
CMD ["/opt/splunkforwarder/bin/splunk", "start", "--accept-license", "--answer-yes", "--no-prompt", "--nodaemon"]
Now I am facing a couple of issues here:
When I am running /opt/splunkforwarder/bin/splunk start --accept-license I am getting /opt/splunkforwarder/bin/splunk: not found.
I am using custom output.conf file. It's in config folder.
[tcpout]
defaultGroup = abc
disabled = false
[tcpout:abc]
server = _OUTPUT_SERVERS_
autoLB = true
compressed = false
useACK = true
sendCookedData = true
entrypoint.sh is the script which I am using to replace the environment variable from output.config and restart the splunk but again restart is not working.
please help me to fix this.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Alpine the linux distribution?
Also, are you trying to install Splunk UF version 6.3.1? I heartily recommend using a newer version. Is 6.3.1 even supported any more?
So, after your ... "thing" that you are doing you are getting a "/opt/splunkforwarder/bin/splunk" not found. So, have you looked at your filesystem and seen where it really is? Is it where it's supposed to be, or missing?
If it's not there, then obviously something in your automation is not working right - debug your automation, I don't think there's a Splunk problem.
If it IS there, then check permissions, ownership, executability - all those things that you'd check if you were sitting at the console trying to run it and it said "not found". This may or may not be a Splunk problem, but likely is a problem with your chosen Linux distribution (being, if I looked it up right, a "security oriented, lightweight distribution" immediately indicates to me that "your stuff may or may not work, because we may have locked it down too tight or we might have not included critical libraries your app needs".
I do agree nothing I see in the config seems to be obviously off assuming "tar xvz -C /opt" actually extracts to /opt (I always just cd /opt, then tar xzv in there.)
Also, it may or may not matter in this case, but the uid/gid of the directories created after extracting are 506, so you may need to chown them to root?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
SplunkTrust Application Period is Officially OPEN!
