Splunk Enterprise

Splunk on Docker error

mpederson
Engager

Moving my instance from Splunk Enterprise on vmware to a docker container. It runs okay with the volumes I created but when I copy my /opt/splunk/etc contents from the old server to migrate it to the Docker Container I get this error. Splunk support is saying something is wrong with my docker-compose but I am able to build other containers with it no problem. I did find that status code 401 in the documentation for the HEC.  I think it is a permission issue but have gone through the whole /opt/splunk/etc/auth file and it looks good. Any ideas?

TASK [splunk_standalone : Setup global HEC] ************************************
s01 | fatal: [localhost]: FAILED! => {
s01 | "cache_control": "private",
s01 | "changed": false,
s01 | "connection": "Close",
s01 | "content_length": "130",
s01 | "content_type": "text/xml; charset=UTF-8",
s01 | "date": "Wed, 03 Mar 2021 20:36:34 GMT",
s01 | "elapsed": 0,
s01 | "redirected": false,
s01 | "server": "Splunkd",
s01 | "status": 401,
s01 | "url": "https://127.0.0.1:8089/services/data/inputs/http/http",
s01 | "vary": "Cookie, Authorization",
s01 | "www_authenticate": "Basic realm=\"/splunk\"",
s01 | "x_content_type_options": "nosniff",
s01 | "x_frame_options": "SAMEORIGIN"
s01 | }
s01 |
s01 | MSG:
s01 |
s01 | Status code was 401 and not [200]: HTTP Error 401: Unauthorized

Labels (2)
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...