Getting Data In

Getting ERROR while Creating splunk UNIVERSAL FORWARDER using alpine base image

New Member

I am trying to create a Splunk universal forwarder image using alpine:3.8 base image.

FROM alpine:3.8

ENV VERSION 6.3.1
ENV BUILD f3e41e4b37b2
ENV SPLUNK_USER=root
ENV SPLUNK_GROUP=root
ENV VERSION 6.3.1
ENV BUILD f3e41e4b37b2
ENV SPLUNK_OUTPUT_SERVER=test:9997
ENV SPLUNK_HOME=/opt/splunkforwarder/

RUN mkdir -p /opt

COPY ./config /tmp/splunk

RUN apk add curl \
    && curl http://download.splunk.com/products/splunk/releases/${VERSION}/universalforwarder/linux/splunkforwar... | tar xvz -C /opt

WORKDIR /opt/splunkforwarder/

# Splunk management port
EXPOSE 8089

# Network Input
EXPOSE 514

VOLUME [ "/opt/splunkforwarder/etc", "/opt/splunkforwarder/var" ]

COPY ./patch-entrypoint.sh /sbin/entrypoint.sh

CMD ["/opt/splunkforwarder/bin/splunk", "start", "--accept-license", "--answer-yes", "--no-prompt", "--nodaemon"]

Now I am facing a couple of issues here:

When I am running /opt/splunkforwarder/bin/splunk start --accept-license I am getting /opt/splunkforwarder/bin/splunk: not found.
I am using custom output.conf file. It's in config folder.

[tcpout]
defaultGroup = abc
disabled = false

[tcpout:abc]
server = _OUTPUT_SERVERS_
autoLB = true
compressed = false
useACK = true
sendCookedData = true

entrypoint.sh is the script which I am using to replace the environment variable from output.config and restart the splunk but again restart is not working.

please help me to fix this.

0 Karma

SplunkTrust
SplunkTrust

Alpine the linux distribution?

Also, are you trying to install Splunk UF version 6.3.1? I heartily recommend using a newer version. Is 6.3.1 even supported any more?

So, after your ... "thing" that you are doing you are getting a "/opt/splunkforwarder/bin/splunk" not found. So, have you looked at your filesystem and seen where it really is? Is it where it's supposed to be, or missing?

If it's not there, then obviously something in your automation is not working right - debug your automation, I don't think there's a Splunk problem.

If it IS there, then check permissions, ownership, executability - all those things that you'd check if you were sitting at the console trying to run it and it said "not found". This may or may not be a Splunk problem, but likely is a problem with your chosen Linux distribution (being, if I looked it up right, a "security oriented, lightweight distribution" immediately indicates to me that "your stuff may or may not work, because we may have locked it down too tight or we might have not included critical libraries your app needs".

I do agree nothing I see in the config seems to be obviously off assuming "tar xvz -C /opt" actually extracts to /opt (I always just cd /opt, then tar xzv in there.)

Also, it may or may not matter in this case, but the uid/gid of the directories created after extracting are 506, so you may need to chown them to root?

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!