Getting Data In

Getting ERROR while Creating splunk UNIVERSAL FORWARDER using alpine base image

New Member

I am trying to create a Splunk universal forwarder image using alpine:3.8 base image.

FROM alpine:3.8

ENV BUILD f3e41e4b37b2
ENV BUILD f3e41e4b37b2
ENV SPLUNK_HOME=/opt/splunkforwarder/

RUN mkdir -p /opt

COPY ./config /tmp/splunk

RUN apk add curl \
    && curl${VERSION}/universalforwarder/linux/splunkforwar... | tar xvz -C /opt

WORKDIR /opt/splunkforwarder/

# Splunk management port

# Network Input

VOLUME [ "/opt/splunkforwarder/etc", "/opt/splunkforwarder/var" ]

COPY ./ /sbin/

CMD ["/opt/splunkforwarder/bin/splunk", "start", "--accept-license", "--answer-yes", "--no-prompt", "--nodaemon"]

Now I am facing a couple of issues here:

When I am running /opt/splunkforwarder/bin/splunk start --accept-license I am getting /opt/splunkforwarder/bin/splunk: not found.
I am using custom output.conf file. It's in config folder.

defaultGroup = abc
disabled = false

autoLB = true
compressed = false
useACK = true
sendCookedData = true is the script which I am using to replace the environment variable from output.config and restart the splunk but again restart is not working.

please help me to fix this.

0 Karma


Alpine the linux distribution?

Also, are you trying to install Splunk UF version 6.3.1? I heartily recommend using a newer version. Is 6.3.1 even supported any more?

So, after your ... "thing" that you are doing you are getting a "/opt/splunkforwarder/bin/splunk" not found. So, have you looked at your filesystem and seen where it really is? Is it where it's supposed to be, or missing?

If it's not there, then obviously something in your automation is not working right - debug your automation, I don't think there's a Splunk problem.

If it IS there, then check permissions, ownership, executability - all those things that you'd check if you were sitting at the console trying to run it and it said "not found". This may or may not be a Splunk problem, but likely is a problem with your chosen Linux distribution (being, if I looked it up right, a "security oriented, lightweight distribution" immediately indicates to me that "your stuff may or may not work, because we may have locked it down too tight or we might have not included critical libraries your app needs".

I do agree nothing I see in the config seems to be obviously off assuming "tar xvz -C /opt" actually extracts to /opt (I always just cd /opt, then tar xzv in there.)

Also, it may or may not matter in this case, but the uid/gid of the directories created after extracting are 506, so you may need to chown them to root?

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...