Splunk Enterprise

I will use docker swarm to deployment splunk cluster,I have an question for it

LiuPeng_daoclou
New Member

this is me docker-compose file to deployment splunk cluster,the server is a deployment server and master server,the indexer* is indexer cluster

version: '3.4'
services:
    server:
        image: splunk/splunk:7.0.0
        hostname: splunkserver
        environment:
            - SPLUNK_START_ARGS=--accept-license --answer-yes
            - SPLUNK_ENABLE_DEPLOY_SERVER=true
            - SPLUNK_ENABLE_LISTEN=9997
            - SPLUNK_CMD_1=edit cluster-config -mode master -replication_factor 2 -search_factor 2 -secret admin -cluster_label swarm -auth admin:changeme
            - SPLUNK_CMD_2=set servername splunk-server -auth admin:changeme
            - SPLUNK_CMD_3=restart
        ports:
            - 8000:8000/tcp
            - 8088:8088/tcp
        networks:
            splunk:
                aliases:
                    - splunkserver
        volumes:
            - /opt/splunk/var:/opt/splunk/var:rw
            - /opt/splunk/etc:/opt/splunk/etc:rw
            - /usr/share/zoneinfo/Asia/Shanghai:/etc/localtime:ro
        deploy:
            mode: replicated
            replicas: 1
            update_config:
                parallelism: 1
                delay: 10s
            placement:
                constraints:
                    - node.hostname == Docker-Swarm-Splunk
        logging:
            driver: json-file
            options:
                max-file: '3'
                max-size: 100m
    indexer01:
        image: splunk/splunk:7.0.0
        hostname: indexer01
        environment:
            - SPLUNK_START_ARGS=--accept-license --answer-yes
            - SPLUNK_ENABLE_LISTEN=9997
            - SPLUNK_DEPLOYMENT_SERVER=splunkserver:8089
            - SPLUNK_CMD_1=disable webserver -auth admin:changeme
            - SPLUNK_CMD_2=edit cluster-config -mode slave -master_uri https://splunkserver:8089 -replication_port 9887 -secret admin -auth admin:changeme
            - SPLUNK_CMD_3=set servername indexer01 -auth admin:changeme
            - SPLUNK_CMD_4=edit licenser-localslave -master_uri 'https://splunkserver:8089' -auth admin:changeme
            - SPLUNK_CMD_5=restart
        networks:
            splunk:
                aliases:
                    - indexer01
        depends_on:
            - splunkserver
        volumes:
            - /usr/share/zoneinfo/Asia/Shanghai:/etc/localtime:ro
            - /opt/splunk/var:/opt/splunk/var:rw
            - /opt/splunk/etc:/opt/splunk/etc:rw
        deploy:
            mode: replicated
            replicas: 0
            update_config:
                parallelism: 1
                delay: 10s
            placement:
                constraints:
                    - node.hostname == Docker-Swarm-Indexer01
        logging:
            driver: json-file
            options:
                max-file: '3'
                max-size: 100m
    indexer02:
        image: splunk/splunk:7.0.0
        hostname: indexer02
        environment:
            - SPLUNK_START_ARGS=--accept-license --answer-yes
            - SPLUNK_ENABLE_LISTEN=9997
            - SPLUNK_DEPLOYMENT_SERVER=splunkserver:8089
            - SPLUNK_CMD_1=disable webserver -auth admin:changeme
            - SPLUNK_CMD_2=edit cluster-config -mode slave -master_uri https://splunkserver:8089 -replication_port 9887 -secret admin -auth admin:changeme
            - SPLUNK_CMD_3=set servername indexer02 -auth admin:changeme
            - SPLUNK_CMD_4=edit licenser-localslave -master_uri 'https://splunkserver:8089'
            - SPLUNK_CMD_5=restart
        networks:
            splunk:
                aliases:
                    - indexer02
        depends_on:
            - splunkserver
        volumes:
            - /usr/share/zoneinfo/Asia/Shanghai:/etc/localtime:ro
            - /opt/splunk/var:/opt/splunk/var:rw
            - /opt/splunk/etc:/opt/splunk/etc:rw
        deploy:
            mode: replicated
            replicas: 0
            update_config:
                parallelism: 1
                delay: 10s
            placement:
                constraints:
                    - node.hostname == Docker-Swarm-Indexer02
        logging:
            driver: json-file
            options:
                max-file: '3'
                max-size: 100m
networks:
    splunk:
        external: true

and my universalforwarder docker-compose is

version: '3.4'
services:
    uf:
        image: splunk/universalforwarder:7.0.0
        networks:
            splunk:
                aliases:
                    - universalforwarder
        volumes:
            - /opt/universalforwarder/etc:/opt/splunk/etc
            - /opt/universalforwarder/var:/opt/splunk/var
            - /var/run/docker.sock:/var/run/docker.sock:ro
        environment:
            - SPLUNK_START_ARGS=--accept-license --answer-yes
            - SPLUNK_DEPLOYMENT_SERVER=splunkserver:8089
            - SPLUNK_FORWARD_SERVER_1=indexer01:9997
            - SPLUNK_FORWARD_SERVER_2=indexer02:9997
        deploy:
            mode: replicated
            replicas: 1
            update_config:
                parallelism: 1
                delay: 10s
            restart_policy:
                condition: any
            resources:
                limits:
                    cpus: '0.1'
                    memory: 100M
                reservations:
                    cpus: '0.05'
                    memory: 20M
            placement:
                constraints:
                    - node.hostname == Docker-Swarm-M01
        logging:
            driver: json-file
            options:
                max-file: '3'
                max-size: 100m
networks:
    splunk:
        external: true

when I add a http data input on my deployment server ,the universalforwarder will download the app,but not listen the 8088 port,what can I do for it

Tags (1)
0 Karma

LiuPeng_daoclou
New Member

alt text

alt text

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...