Installation

Unable to install Standalone Splunk when using docker-compose.yml

pineapplebun-kw
Engager

docker-compose.yml :

 

 

version: '3.9'

services:
    splunk:
        image: splunk/splunk:latest
        environment:
            - SPLUNK_START_ARGS='--accept-license'
            - SPLUNK_PASSWORD='password'
        ports:
            - 8000:8000

 

 

 

running docker-compose up, i am unable to pass the ansible task:

 

 

TASK [splunk_standalone : Setup global HEC] 

fatal: [localhost]: FAILED! => {
 "cache_control": "private",
 "changed": false,
 "connection": "Close",
 "content_length": "130",
 "content_type": "text/xml; charset=UTF-8",
 "date": "Sun, 20 Jun 2021 02:30:20 GMT",
 "elapsed": 0,
 "redirected": false,
 "server": "Splunkd",
 "status": 401,
 "url": "https://127.0.0.1:8089/services/data/inputs/http/http",
 "vary": "Cookie, Authorization",
 "www_authenticate": "Basic realm=\"/splunk\"",
 "x_content_type_options": "nosniff",
 "x_frame_options": "SAMEORIGIN"
}

MSG:
Status code was 401 and not [200]: HTTP Error 401: Unauthorized

 

 

 

 

However running without docker-compose i.e.

docker run -it -e "ANSIBLE_EXTRA_FLAGS=-vv" -e SPLUNK_START_ARGS=--accept-license -e SPLUNK_PASSWORD=password splunk/splunk:latest

would have no issue

 

Would anyone be able to provide any clues as to what might be the issue?

Labels (2)

codebuilder
SplunkTrust
SplunkTrust

Docker uses the /var filesystem to store and cache images, data, etc. Since /var is typically owned by root any container running needs read/write access to /var (or at least /var/lib/docker e.g.), which the Splunk user generally does not. The quickest fix is to grant sudo to your Splunk user.

Generally you will also need to create a Docker volume so that Splunk can have storage to create a virtual /opt/splunk directory within the container.

Some good documentation on that here:
https://splunk.github.io/docker-splunk/STORAGE_OPTIONS.html

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma

tomy8s
Loves-to-Learn Lots

Do you have a Splunk server listening on the URL in the error message?

https://127.0.0.1:8089/services/data/inputs/http/http

 I found this when the targetUri for the UF was not being correctly configured.

Tags (1)
0 Karma

tomy8s
Loves-to-Learn Lots

I'm getting exactly the same message using splunk/universalforwarder:8.2.1

Tags (1)
0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...