Installation

Install splunk v7.0.3 on rhel9

Karinaoist
Observer

I have this docker file when my base image is red-hat9 

 

ENV SPLUNK_PRODUCT splunk
ENV SPLUNK_VERSION 7.0.3
ENV SPLUNK_BUILD fa31da744b51
ENV SPLUNK_FILENAME splunk-${SPLUNK_VERSION}-${SPLUNK_BUILD}-Linux-x86_64.tgz

ENV SPLUNK_HOME /opt/splunk
ENV SPLUNK_GROUP splunk
ENV SPLUNK_USER splunk
ENV SPLUNK_BACKUP_DEFAULT_ETC /var/opt/splunk
ENV OPTIMISTIC_ABOUT_FILE_LOCKING=1


RUN groupadd -r ${SPLUNK_GROUP} \
&& useradd -r -m -g ${SPLUNK_GROUP} ${SPLUNK_USER}


RUN dnf -y update \
&& dnf -y install --setopt=install_weak_deps=False glibc-langpack-en glibc-all-langpacks \
&& localedef -i en_US -f UTF-8 en_US.UTF-8 || echo "Locale generation failed" \
&& dnf clean all
ENV LANG en_US.UTF-8

# pdfgen dependency
RUN dnf -y install krb5-libs \
&& dnf clean all

# Download official Splunk release, verify checksum and unzip in /opt/splunk
# Also backup etc folder, so it will be later copied to the linked volume
RUN dnf -y install wget sudo
RUN mkdir -p ${SPLUNK_HOME} \
&& wget -qO /tmp/${SPLUNK_FILENAME} https://download.splunk.com/products/${SPLUNK_PRODUCT}/releases/${SPLUNK_VERSION}/linux/${SPLUNK_FIL...} \
&& wget -qO /tmp/${SPLUNK_FILENAME}.md5 https://download.splunk.com/products/${SPLUNK_PRODUCT}/releases/${SPLUNK_VERSION}/linux/${SPLUNK_FIL... \
&& (cd /tmp && md5sum -c ${SPLUNK_FILENAME}.md5) \
&& tar xzf /tmp/${SPLUNK_FILENAME} --strip 1 -C ${SPLUNK_HOME} \
&& rm /tmp/${SPLUNK_FILENAME} \
&& rm /tmp/${SPLUNK_FILENAME}.md5 \
&& dnf -y remove wget \
&& dnf clean all \
&& mkdir -p /var/opt/splunk \
&& cp -R ${SPLUNK_HOME}/etc ${SPLUNK_BACKUP_DEFAULT_ETC} \
&& rm -fR ${SPLUNK_HOME}/etc \
&& chown -R ${SPLUNK_USER}:${SPLUNK_GROUP} ${SPLUNK_HOME} \
&& chown -R ${SPLUNK_USER}:${SPLUNK_GROUP} ${SPLUNK_BACKUP_DEFAULT_ETC}

COPY etc/ /opt/splunk/etc/
COPY license.xml /splunk-license.xml
COPY entrypoint.sh /sbin/entrypoint.sh
RUN chmod +x /sbin/entrypoint.sh

EXPOSE 9998/tcp
EXPOSE 9999/tcp

WORKDIR /opt/splunk

ENV SPLUNK_CMD edit user admin -password admin -auth admin:changeme --accept-license --no-prompt
ENV SPLUNK_CMD_1 add licenses /splunk-license.xml -auth admin:admin
ENV SPLUNK_START_ARGS --accept-license --answer-yes

VOLUME [ "/opt/splunk/etc", "/opt/splunk/var" ]

ENTRYPOINT ["/sbin/entrypoint.sh"]
CMD ["start-service"]

I also mount volumes in /data/splunk 

And use this command to run the container from the host 

docker run \
--name splunk \
--hostname splunk \
-d \
-p 80:8000 \
-p 8088:8088 \
-p 8089:8089 \
-p 9998:9998 \
-p 9999:9999 \
-v $splunkVarRoot:/opt/splunk/var \
-v $splunkEtcRoot:/opt/splunk/etc \
-e "SPLUNK_START_ARGS=--accept-license --answer-yes" \
$IMPL_DOCKER_REPO/$splunkVersion
docker run \
--name splunk \
--hostname splunk \
-d \
-p 80:8000 \
-p 8088:8088 \
-p 8089:8089 \
-p 9998:9998 \
-p 9999:9999 \
-v /data/splunk/var:/opt/splunk/var \
-v /data/splunk/etc:/opt/splunk/etc \
-e "SPLUNK_START_ARGS=--accept-license --answer-yes" \
my_image


The UI is working and seems ok but I don't see any data and I get this 'kv store process terminated abnormally exit code 1' 
What should I do

Labels (1)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

1. Why would you use version 7.0.3???

2. Why use the container anyway?

3. You're exposing port 8000 as 80. Are you planning on running unprotected HTTP?

4. Did you look into the logs?

5. We have no idea what is in your entrypoint.sh

6. Why not just install the rpm (even if inside the container)?

0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...