Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Installation
- :
- Install splunk v7.0.3 on rhel9
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Install splunk v7.0.3 on rhel9
I have this docker file when my base image is red-hat9
ENV SPLUNK_PRODUCT splunk
ENV SPLUNK_VERSION 7.0.3
ENV SPLUNK_BUILD fa31da744b51
ENV SPLUNK_FILENAME splunk-${SPLUNK_VERSION}-${SPLUNK_BUILD}-Linux-x86_64.tgz
ENV SPLUNK_HOME /opt/splunk
ENV SPLUNK_GROUP splunk
ENV SPLUNK_USER splunk
ENV SPLUNK_BACKUP_DEFAULT_ETC /var/opt/splunk
ENV OPTIMISTIC_ABOUT_FILE_LOCKING=1
RUN groupadd -r ${SPLUNK_GROUP} \
&& useradd -r -m -g ${SPLUNK_GROUP} ${SPLUNK_USER}
RUN dnf -y update \
&& dnf -y install --setopt=install_weak_deps=False glibc-langpack-en glibc-all-langpacks \
&& localedef -i en_US -f UTF-8 en_US.UTF-8 || echo "Locale generation failed" \
&& dnf clean all
ENV LANG en_US.UTF-8
# pdfgen dependency
RUN dnf -y install krb5-libs \
&& dnf clean all
# Download official Splunk release, verify checksum and unzip in /opt/splunk
# Also backup etc folder, so it will be later copied to the linked volume
RUN dnf -y install wget sudo
RUN mkdir -p ${SPLUNK_HOME} \
&& wget -qO /tmp/${SPLUNK_FILENAME} https://download.splunk.com/products/${SPLUNK_PRODUCT}/releases/${SPLUNK_VERSION}/linux/${SPLUNK_FIL...} \
&& wget -qO /tmp/${SPLUNK_FILENAME}.md5 https://download.splunk.com/products/${SPLUNK_PRODUCT}/releases/${SPLUNK_VERSION}/linux/${SPLUNK_FIL... \
&& (cd /tmp && md5sum -c ${SPLUNK_FILENAME}.md5) \
&& tar xzf /tmp/${SPLUNK_FILENAME} --strip 1 -C ${SPLUNK_HOME} \
&& rm /tmp/${SPLUNK_FILENAME} \
&& rm /tmp/${SPLUNK_FILENAME}.md5 \
&& dnf -y remove wget \
&& dnf clean all \
&& mkdir -p /var/opt/splunk \
&& cp -R ${SPLUNK_HOME}/etc ${SPLUNK_BACKUP_DEFAULT_ETC} \
&& rm -fR ${SPLUNK_HOME}/etc \
&& chown -R ${SPLUNK_USER}:${SPLUNK_GROUP} ${SPLUNK_HOME} \
&& chown -R ${SPLUNK_USER}:${SPLUNK_GROUP} ${SPLUNK_BACKUP_DEFAULT_ETC}
COPY etc/ /opt/splunk/etc/
COPY license.xml /splunk-license.xml
COPY entrypoint.sh /sbin/entrypoint.sh
RUN chmod +x /sbin/entrypoint.sh
EXPOSE 9998/tcp
EXPOSE 9999/tcp
WORKDIR /opt/splunk
ENV SPLUNK_CMD edit user admin -password admin -auth admin:changeme --accept-license --no-prompt
ENV SPLUNK_CMD_1 add licenses /splunk-license.xml -auth admin:admin
ENV SPLUNK_START_ARGS --accept-license --answer-yes
VOLUME [ "/opt/splunk/etc", "/opt/splunk/var" ]
ENTRYPOINT ["/sbin/entrypoint.sh"]
CMD ["start-service"]
I also mount volumes in /data/splunk
And use this command to run the container from the host
docker run \
--name splunk \
--hostname splunk \
-d \
-p 80:8000 \
-p 8088:8088 \
-p 8089:8089 \
-p 9998:9998 \
-p 9999:9999 \
-v $splunkVarRoot:/opt/splunk/var \
-v $splunkEtcRoot:/opt/splunk/etc \
-e "SPLUNK_START_ARGS=--accept-license --answer-yes" \
$IMPL_DOCKER_REPO/$splunkVersion
docker run \
--name splunk \
--hostname splunk \
-d \
-p 80:8000 \
-p 8088:8088 \
-p 8089:8089 \
-p 9998:9998 \
-p 9999:9999 \
-v /data/splunk/var:/opt/splunk/var \
-v /data/splunk/etc:/opt/splunk/etc \
-e "SPLUNK_START_ARGS=--accept-license --answer-yes" \
my_image
The UI is working and seems ok but I don't see any data and I get this 'kv store process terminated abnormally exit code 1'
What should I do
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1. Why would you use version 7.0.3???
2. Why use the container anyway?
3. You're exposing port 8000 as 80. Are you planning on running unprotected HTTP?
4. Did you look into the logs?
5. We have no idea what is in your entrypoint.sh
6. Why not just install the rpm (even if inside the container)?
Splunk Search APIを使えば調査過程が残せます
Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...
Congratulations to the 2025-2026 SplunkTrust!
