Splunk Enterprise

I will use docker swarm to deployment splunk cluster,I have an question for it

LiuPeng_daoclou
New Member

this is me docker-compose file to deployment splunk cluster,the server is a deployment server and master server,the indexer* is indexer cluster

version: '3.4'
services:
    server:
        image: splunk/splunk:7.0.0
        hostname: splunkserver
        environment:
            - SPLUNK_START_ARGS=--accept-license --answer-yes
            - SPLUNK_ENABLE_DEPLOY_SERVER=true
            - SPLUNK_ENABLE_LISTEN=9997
            - SPLUNK_CMD_1=edit cluster-config -mode master -replication_factor 2 -search_factor 2 -secret admin -cluster_label swarm -auth admin:changeme
            - SPLUNK_CMD_2=set servername splunk-server -auth admin:changeme
            - SPLUNK_CMD_3=restart
        ports:
            - 8000:8000/tcp
            - 8088:8088/tcp
        networks:
            splunk:
                aliases:
                    - splunkserver
        volumes:
            - /opt/splunk/var:/opt/splunk/var:rw
            - /opt/splunk/etc:/opt/splunk/etc:rw
            - /usr/share/zoneinfo/Asia/Shanghai:/etc/localtime:ro
        deploy:
            mode: replicated
            replicas: 1
            update_config:
                parallelism: 1
                delay: 10s
            placement:
                constraints:
                    - node.hostname == Docker-Swarm-Splunk
        logging:
            driver: json-file
            options:
                max-file: '3'
                max-size: 100m
    indexer01:
        image: splunk/splunk:7.0.0
        hostname: indexer01
        environment:
            - SPLUNK_START_ARGS=--accept-license --answer-yes
            - SPLUNK_ENABLE_LISTEN=9997
            - SPLUNK_DEPLOYMENT_SERVER=splunkserver:8089
            - SPLUNK_CMD_1=disable webserver -auth admin:changeme
            - SPLUNK_CMD_2=edit cluster-config -mode slave -master_uri https://splunkserver:8089 -replication_port 9887 -secret admin -auth admin:changeme
            - SPLUNK_CMD_3=set servername indexer01 -auth admin:changeme
            - SPLUNK_CMD_4=edit licenser-localslave -master_uri 'https://splunkserver:8089' -auth admin:changeme
            - SPLUNK_CMD_5=restart
        networks:
            splunk:
                aliases:
                    - indexer01
        depends_on:
            - splunkserver
        volumes:
            - /usr/share/zoneinfo/Asia/Shanghai:/etc/localtime:ro
            - /opt/splunk/var:/opt/splunk/var:rw
            - /opt/splunk/etc:/opt/splunk/etc:rw
        deploy:
            mode: replicated
            replicas: 0
            update_config:
                parallelism: 1
                delay: 10s
            placement:
                constraints:
                    - node.hostname == Docker-Swarm-Indexer01
        logging:
            driver: json-file
            options:
                max-file: '3'
                max-size: 100m
    indexer02:
        image: splunk/splunk:7.0.0
        hostname: indexer02
        environment:
            - SPLUNK_START_ARGS=--accept-license --answer-yes
            - SPLUNK_ENABLE_LISTEN=9997
            - SPLUNK_DEPLOYMENT_SERVER=splunkserver:8089
            - SPLUNK_CMD_1=disable webserver -auth admin:changeme
            - SPLUNK_CMD_2=edit cluster-config -mode slave -master_uri https://splunkserver:8089 -replication_port 9887 -secret admin -auth admin:changeme
            - SPLUNK_CMD_3=set servername indexer02 -auth admin:changeme
            - SPLUNK_CMD_4=edit licenser-localslave -master_uri 'https://splunkserver:8089'
            - SPLUNK_CMD_5=restart
        networks:
            splunk:
                aliases:
                    - indexer02
        depends_on:
            - splunkserver
        volumes:
            - /usr/share/zoneinfo/Asia/Shanghai:/etc/localtime:ro
            - /opt/splunk/var:/opt/splunk/var:rw
            - /opt/splunk/etc:/opt/splunk/etc:rw
        deploy:
            mode: replicated
            replicas: 0
            update_config:
                parallelism: 1
                delay: 10s
            placement:
                constraints:
                    - node.hostname == Docker-Swarm-Indexer02
        logging:
            driver: json-file
            options:
                max-file: '3'
                max-size: 100m
networks:
    splunk:
        external: true

and my universalforwarder docker-compose is

version: '3.4'
services:
    uf:
        image: splunk/universalforwarder:7.0.0
        networks:
            splunk:
                aliases:
                    - universalforwarder
        volumes:
            - /opt/universalforwarder/etc:/opt/splunk/etc
            - /opt/universalforwarder/var:/opt/splunk/var
            - /var/run/docker.sock:/var/run/docker.sock:ro
        environment:
            - SPLUNK_START_ARGS=--accept-license --answer-yes
            - SPLUNK_DEPLOYMENT_SERVER=splunkserver:8089
            - SPLUNK_FORWARD_SERVER_1=indexer01:9997
            - SPLUNK_FORWARD_SERVER_2=indexer02:9997
        deploy:
            mode: replicated
            replicas: 1
            update_config:
                parallelism: 1
                delay: 10s
            restart_policy:
                condition: any
            resources:
                limits:
                    cpus: '0.1'
                    memory: 100M
                reservations:
                    cpus: '0.05'
                    memory: 20M
            placement:
                constraints:
                    - node.hostname == Docker-Swarm-M01
        logging:
            driver: json-file
            options:
                max-file: '3'
                max-size: 100m
networks:
    splunk:
        external: true

when I add a http data input on my deployment server ,the universalforwarder will download the app,but not listen the 8088 port,what can I do for it

Tags (1)
0 Karma

LiuPeng_daoclou
New Member

alt text

alt text

0 Karma
Get Updates on the Splunk Community!

Splunk Smartness with Brandon Sternfield | Episode 3

Hello and welcome to another episode of "Splunk Smartness," the interview series where we explore the power of ...

Monitoring Postgres with OpenTelemetry

Behind every business-critical application, you’ll find databases. These behind-the-scenes stores power ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...