- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Installation
- :
- Re: How to Autocreate an index in a docker contain...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi folks.
I'm attempting to run Splunk in a docker container. Or rather, I have that working - it was pretty easy with docker-compose based on https://splunk.github.io/docker-splunk/EXAMPLES.html#create-standalone-from-compose
However, I want to create an index automatically, when the container first starts up. This I'm finding difficult.
I've tried a variety of methods, but they all failed in one way or another:
- yum and dnf are missing from the container, and microdnf appears to be broken. This makes it difficult to customize the container's configuration.
- The container so configured appears to be based on RHEL, and we don't have any RHEL entitlements. This too makes it difficult to customize the container's behavior.
- I tried setting up a volume and adding a script that would start splunk and shortly thereafter add the index, but I found that Splunk was missing lots of config files this way. This may or may not be due to my relative inexperience with docker.
- I invoked the script with the following in docker-compose.yml:
- entrypoint: /bin/bash
- command: /spunk-files/start
- I needed to copy these files, which I didn't have to copy before the entrypoint+command change:
- $SPLUNK_HOME/etc/splunk-launch.conf
- $SPLUNK_HOME/etc/splunk.version
- I also needed to create some logging directories, otherwise Splunk would fail to start.
- I invoked the script with the following in docker-compose.yml:
- One of my favorite troubleshooting techniques, using a system call tracer like "strace", wasn't working because I couldn't install it - see above under microdnf.
Does anyone know of a good way to auto-create a Splunk index at container creation time, without an RHEL entitlement?
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
The docker container is started using splunk-ansible. You can configure some behavoirs of your container using environment variables, others using default.yml
https://github.com/splunk/splunk-ansible/blob/develop/docs/advanced/default.yml.spec.md
use parameter apps_location to install apps automatically at container startup.
you can download them or present them on persistent storage.
i would create an app with indexes.conf containing your index configuration and configure it there.
regards,
Andreas
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
The docker container is started using splunk-ansible. You can configure some behavoirs of your container using environment variables, others using default.yml
https://github.com/splunk/splunk-ansible/blob/develop/docs/advanced/default.yml.spec.md
use parameter apps_location to install apps automatically at container startup.
you can download them or present them on persistent storage.
i would create an app with indexes.conf containing your index configuration and configure it there.
regards,
Andreas
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
btw. here is an example for docker-compose using direct filesystem mapping
version: '3'
services:
single:
image: splunk/splunk:8.1.5
ports:
- "8111:8000"
volumes:
- single-etc:/opt/splunk/etc
- single-var:/opt/splunk/var
- /my/path/to/indexapp/indexapp:/opt/splunk/etc/apps/indexapp
hostname: idx1
environment:
- SPLUNK_HOME=/opt/splunk/
# - DEFAULTS_URL=http://splunk-defaults/default.yml
- SPLUNK_START_ARGS="--accept-license"
- SPLUNK_PASSWORD=EnterYourCreditCardNumber
- SPLUNK_ROLE=splunk_standalone
- SPLUNK_DEBUG="true"
volumes:
single-etc:
single-var:
networks:
default:
external:
name: splunk
regards,
Andreas
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I haven't tried something like this yet. But I think creating a persistent storage with the index config could help.
Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!
Splunk and Fraud
Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...
