Deploy and run Splunk Enterprise inside a Docker container

Run Splunk Enterprise inside a Docker container to quickly deploy an instance and gain hands-on experience with Splunk software. The official repository containing Dockerfiles for building Splunk Enterprise and Universal Forwarder images can be found on GitHub for Splunk-Docker.

Container orchestration for Splunk Enterprise

For container orchestration, the Splunk Operator for Kubernetes on GitHub enables you to quickly and easily deploy Splunk Enterprise on your choice of private or public cloud provider. The operator simplifies scaling and management of Splunk Enterprise by automating workflows while implementing Kubernetes best practices.

See the splunk-operator documentation on GitHub for more information.

Containerized Splunk software prerequisites

The list of requirements for Docker and Splunk software is available in the Support Guidelines on the Splunk-Docker GitHub. The requirements include OS architecture, Docker version, and supported Splunk architectures.

Deploy Splunk Enterprise Docker containers

Deploy Splunk Enterprise inside a Docker container by downloading and launching the required Splunk Enterprise image in Docker. The image is an executable package that includes everything you need to run Splunk Enterprise. For universal forwarder instructions, see the Universal Forwarder manual.

  1. From a shell prompt, run the following command to download the Splunk Enterprise image to your local Docker image library.
    CODE 
    docker pull splunk/splunk:latest
  2. Run the downloaded Docker image.
    CODE 
    docker run -d -p 8000:8000 -e "SPLUNK_START_ARGS=--accept-license" -e "SPLUNK_GENERAL_TERMS=--accept-sgt-current-at-splunk-com" -e "SPLUNK_PASSWORD=<password>" --name splunk splunk/splunk:latest
    • -p <host_port>:<container_port>: Maps a container port to a host port. The example above maps SplunkWeb port 8000 to the host port 8000. If the host port is occupied, use the -p parameter to map to an available port on the host, for example: -p 9000:8000. Verify active port mappings using docker port <container_id>
    • SPLUNK_GENERAL_TERMS=--accept-sgt-current-at-splunk-com: Required for Splunk Enterprise version 10.x and higher. Indicates that you have read and accepted the current Splunk General Terms. Ensure you review the Splunk General Terms before using the software.
    • SPLUNK_PASSWORD='<password>': Sets the login password for the admin user. Ensure your password meets the minimum requirements. For details, see Configure a Splunk password policy in Authentication.conf in the Securing the Splunk Platform manual.
  3. Verify the container status using the container ID:
    CODE 
    docker ps -a -f id=<container_id>
    • To retrieve the container ID, status, or port mappings, run docker ps.
  4. Access Splunk Web in a web browser at http://localhost:8000.
  5. Log in to Splunk Enterprise inside the container using the admin user password you set during the initial docker run command.

Administer Splunk Enterprise Docker containers

You can use the following Docker commands to manage containers.

  • To see a list of example commands and environment variables for running Splunk Enterprise in a container, run:
    CODE 
    docker run -it splunk/splunk help
  • To see a list of your running containers, run:
    CODE 
    docker ps
  • To stop your Splunk Enterprise container, run:
    CODE 
    docker container stop <container_id>
  • To restart a stopped container, run:
    CODE 
    docker container start <container_id>
  • To access a running Splunk Enterprise container to perform administrative tasks, such as modifying configuration files, run:
    CODE 
    docker exec -it <container_id> bash

To learn more about Splunk Enterprise and Docker commands, see the documentation on GitHub for Splunk-Docker.

Next steps

Now that you have Splunk Enterprise installed: