Installation

Unable to install Standalone Splunk when using docker-compose.yml

pineapplebun-kw
Engager

docker-compose.yml :

 

 

version: '3.9'

services:
    splunk:
        image: splunk/splunk:latest
        environment:
            - SPLUNK_START_ARGS='--accept-license'
            - SPLUNK_PASSWORD='password'
        ports:
            - 8000:8000

 

 

 

running docker-compose up, i am unable to pass the ansible task:

 

 

TASK [splunk_standalone : Setup global HEC] 

fatal: [localhost]: FAILED! => {
 "cache_control": "private",
 "changed": false,
 "connection": "Close",
 "content_length": "130",
 "content_type": "text/xml; charset=UTF-8",
 "date": "Sun, 20 Jun 2021 02:30:20 GMT",
 "elapsed": 0,
 "redirected": false,
 "server": "Splunkd",
 "status": 401,
 "url": "https://127.0.0.1:8089/services/data/inputs/http/http",
 "vary": "Cookie, Authorization",
 "www_authenticate": "Basic realm=\"/splunk\"",
 "x_content_type_options": "nosniff",
 "x_frame_options": "SAMEORIGIN"
}

MSG:
Status code was 401 and not [200]: HTTP Error 401: Unauthorized

 

 

 

 

However running without docker-compose i.e.

docker run -it -e "ANSIBLE_EXTRA_FLAGS=-vv" -e SPLUNK_START_ARGS=--accept-license -e SPLUNK_PASSWORD=password splunk/splunk:latest

would have no issue

 

Would anyone be able to provide any clues as to what might be the issue?

Labels (2)

kj2011
New Member

Reviving a dead post here, as I'm encountering the same issue as the OP. Splunk will work with the docker command, but when I attempt with compose it get the same error.

docker-compose.yml

kj2011_0-1720661900267.png

Error:

kj2011_1-1720661937858.png

 

0 Karma

codebuilder
Influencer

Docker uses the /var filesystem to store and cache images, data, etc. Since /var is typically owned by root any container running needs read/write access to /var (or at least /var/lib/docker e.g.), which the Splunk user generally does not. The quickest fix is to grant sudo to your Splunk user.

Generally you will also need to create a Docker volume so that Splunk can have storage to create a virtual /opt/splunk directory within the container.

Some good documentation on that here:
https://splunk.github.io/docker-splunk/STORAGE_OPTIONS.html

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma

tomy8s
Loves-to-Learn Lots

Do you have a Splunk server listening on the URL in the error message?

https://127.0.0.1:8089/services/data/inputs/http/http

 I found this when the targetUri for the UF was not being correctly configured.

Tags (1)
0 Karma

tomy8s
Loves-to-Learn Lots

I'm getting exactly the same message using splunk/universalforwarder:8.2.1

Tags (1)
0 Karma
Get Updates on the Splunk Community!

Video | Welcome Back to Smartness, Pedro

Remember Splunk Community member, Pedro Borges? If you tuned into Episode 2 of our Smartness interview series, ...

Detector Best Practices: Static Thresholds

Introduction In observability monitoring, static thresholds are used to monitor fixed, known values within ...

Expert Tips from Splunk Education, Observability in Action, Plus More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...