Hi folks.
I'm attempting to run Splunk in a docker container. Or rather, I have that working - it was pretty easy with docker-compose based on https://splunk.github.io/docker-splunk/EXAMPLES.html#create-standalone-from-compose
However, I want to create an index automatically, when the container first starts up. This I'm finding difficult.
I've tried a variety of methods, but they all failed in one way or another:
yum and dnf are missing from the container, and microdnf appears to be broken. This makes it difficult to customize the container's configuration.
The container so configured appears to be based on RHEL, and we don't have any RHEL entitlements. This too makes it difficult to customize the container's behavior.
I tried setting up a volume and adding a script that would start splunk and shortly thereafter add the index, but I found that Splunk was missing lots of config files this way. This may or may not be due to my relative inexperience with docker.
I invoked the script with the following in docker-compose.yml:
entrypoint: /bin/bash
command: /spunk-files/start
I needed to copy these files, which I didn't have to copy before the entrypoint+command change:
$SPLUNK_HOME/etc/splunk-launch.conf
$SPLUNK_HOME/etc/splunk.version
I also needed to create some logging directories, otherwise Splunk would fail to start.
One of my favorite troubleshooting techniques, using a system call tracer like "strace", wasn't working because I couldn't install it - see above under microdnf.
Does anyone know of a good way to auto-create a Splunk index at container creation time, without an RHEL entitlement?
Thanks!
... View more