Splunk Enterprise

Why is Docker Universal Forwarder Docker Image stuck trying to update itself?


Hello Splunk Community,

I followed different guides and docs for trying to install the Docker universal forwarder but none of them worked. When I try to execute the splunk binary the splunk in the container appears trying to update itself and stucks:

I ran the image with this docker-compose.yml:



version: '3.5'

    name: splunk-test

  # Splunk Universal Forwarder:
    container_name: uf1
    image: splunk/universalforwarder:latest
    restart: always
      - "9997:9997"
      - ./splunkforwarder-etc:/opt/splunkforwarder-etc
      - ./SPLUNK_HOME_DIR:/opt/splunkforwarder
      - SPLUNK_START_ARGS=--accept-license
      - SPLUNK_PASSWORD=lwetem21
      - SPLUNK_STANDALONE_URL=https://<MY Splunk Enterprise DNS Name>:8000
      - splunk



It stops with this output:



[splunk@8de54aed8c1f splunkforwarder]$ pwd
[splunk@8de54aed8c1f bin]$ ./splunk add forward-server idx1.mycompany.com:9997
Warning: Attempting to revert the SPLUNK_HOME ownership
Warning: Executing "chown -R splunk /opt/splunkforwarder"
Error calling execve(): No such file or directory
Error launching  command: No such file or directory
execvp: No such file or directory
Do you agree with this license? [y/n]: y

This appears to be an upgrade of Splunk.

Splunk has detected an older version of Splunk installed on this machine. To
finish upgrading to the new version, Splunk's installer will automatically
update and alter your current configuration files. Deprecated configuration
files will be renamed with a .deprecated extension.

You can choose to preview the changes that will be made to your configuration
files before proceeding with the migration and upgrade:

If you want to migrate and upgrade without previewing the changes that will be
made to your existing configuration files, choose 'y'.
If you want to see what changes will be made before you proceed with the
upgrade, choose 'n'.

Perform migration and upgrade without previewing configuration changes? [y/n] y

-- Migration information is being logged to '/opt/splunkforwarder/var/log/splunk/migration.log.2023-02-22.10-57-49' --

Migrating to:

Error calling execve(): No such file or directory
Error launching  command: Invalid argument



The mentioned log btw is an empty file.
I pulled the latest image from:
What am I doing wrong or there better guides to follow than the links that I have already provided.
With kind regards, CJ
Labels (1)
Tags (1)
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...