Set up an Edge Processor in a Docker container

Perform the following steps to set up and run Edge Processor in a Docker container.
Before you begin, fulfill the following prerequisites:

  • Have access to a functioning tenant in the Splunk Cloud Platform environment.

  • Install Docker on the host machines where you will deploy the containers. As a best practice, update your Docker image to the latest stable image. See Update to the latest Docker image.

Architecture overview

Diagram of the custom-managed environment with Edge Processors hosted in Docker containers

Setup and install

Perform the following steps in order to set up and install an Edge Processor on a Docker container.

Create a shared service principal

Use the following command to provision a single, shared service principal intended for consumption by multiple Edge Processor instances. You typically use this command once during initial setup, which is persisted in the principal.yaml file and is used to interact with other Splunk Cloud Platform services.
CODE 
docker run --rm \ 
	-e REGION=<region> \ 
	-e TENANT=<tenant-id> \ 
	-e TOKEN=<token> \ 
	splunk/edge-processor:<image-tag> \ 
	eptools setup > principal.yaml
Note: Find the value for TOKEN in the install script. To locate it, navigate to the Edge Processors page, select or create a processor. Select Actions > Install/Uninstall from the drop-down menu in the top right corner. Then set the Instance type to Docker. Copy the token in the resulting script.

Running a containerized instance

After provisioning a shared service principal, perform the following tasks to set up a containerized Edge Processor instance.

  1. Compile a list of ingress ports your instance uses to receive ingested data. To do so, navigate to the Edge Processors page in your tenant's web UI, and select Shared Settings in the top right corner.

  2. Use Docker's -p flag to define your ports for all supported ingestion types. Map each port to the corresponding port on the host machine.

  3. Next, find the GROUP_ID value, which associates new instances with a specific Edge Processor. Select a processor listed on the Edge Processors page of your tenant's web UI, then copy its ID field, such as 431e1ead-fd5b-4af8-ac89-ccae2ae81eda. This value also appears at the end of the page's URL.

  4. Run the following command to mount the principal.yaml file to the /opt/splunk-edge/etc/principal.yaml path in the container, publishing the ports gathered previously, and running the image:
    CODE 
    docker run -d \
  -e TENANT=<tenant-id> \
  -e GROUP_ID=<edge-processor-id> \
  -e TOKEN=<access-token> \
  -e MACHINE_HOSTNAME=$(hostname) \
  -v $(pwd)/principal.yaml:/opt/splunk-edge/etc/principal.yaml \
  -p <port-1>:<port-1> ··· -p <port-n>:<port-n> \
  splunk/edge-processor:<image-tag>

Running multiple containerized instances

Because the generated service principal is designed to be shared by multiple Edge Processor instances, you can start more containers by rerunning the previous docker run command:

CODE 
docker run -d \
  -e TENANT=<tenant-id> \
  -e GROUP_ID=<edge-processor-id> \
  -e TOKEN=<access-token> \
  -e MACHINE_HOSTNAME=$(hostname) \
  -v $(pwd)/principal.yaml:/opt/splunk-edge/etc/principal.yaml \
  -p <port-1>:<port-1> ··· -p <port-n>:<port-n> \
  splunk/edge-processor:<image-tag>
Before you run multiple containerized instances, follow these best practices.

<start new section here - see drafts later on the page>

Modifying GROUP_ID between runs registers instances with different Edge Processors in your tenant under the same service principal.

As a best practice, restrict service principals to 1 service principal per processor to avoid unnecessary confusion and potential rate limiting. You can use a single service principal across different host machines if the same principal.yaml file is mounted in each container, but this is not a best practice.

Avoiding port conflicts on a single host

Using multiple instances on a single host affects port availability. When running multiple containers on the same host machine, port conflicts become a bottleneck since each published container port must bind to a unique port on the host.

To prevent conflicts, publish the container port without pinning it to a specific host port by using -p <container_port> instead of -p <host_port>:<container_port>. When you omit the host port, Docker selects an available, ephemeral port at run time and publishes the container port accordingly.

This approach can hinder discoverability. Because host ports are assigned dynamically, clients don't know where to route traffic ahead of time. As a result, you must query the running containers to compile a per-host inventory of published ports, then distribute traffic among them using a load balancer or client-side routing.

To list all running containers on the current host and their associated port mappings, run the following command:
JSON 
docker inspect $(docker ps -q) -f '
  {{- $id := slice .Id 0 12 -}}
  {{- range $cport, $bindings := .NetworkSettings.Ports -}}
    {{- if $bindings -}}
      {{- range $b := $bindings -}}
  {{ printf "%s: %s -> %s:%s\n" $id $cport $b.HostIp $b.HostPort }}
      {{- end -}}
    {{- end -}}
  {{- end -}}
'

Using statically assigned host ports

Instead of publishing ports dynamically, you can alternatively assign each container to a predefined host port within a reserved range. For example, if each container receives HEC events on port 8088, you can map instances to sequential ports on the host, such as 9001, 9002, 9003, and so on:
JSON 
docker run -p 9001:8088 {···}
docker run -p 9002:8088 {···}
docker run -p 9003:8088 {···}
By reserving a dedicated port range, you reduce runtime ambiguity and simplify traffic routing. Upstream data sources can then distribute traffic across the known port range using client-side load balancing and a lightweight, external load balancer. This approach improves predictability, so you don't need to query container metadata at runtime. However, it requires you to manually ensure ports are allocated consistently and are not reused unintentionally.

Using a single service principal per processor

Modifying GROUP_ID between runs registers instances with different Edge Processors in your tenant under the same service principal.

As a best practice, restrict service principals to 1 service principal per processor to avoid unnecessary confusion and potential rate limiting. You can use a single service principal across different host machines if the same principal.yaml file is mounted in each container, but this is not a best practice.

Uninstall a containerized Edge Processor instance

Uninstall and cleanup a containerized Edge Processor instance.

To uninstall a containerized Edge Processor instance, stop and (optionally) remove the container using the following command:
CODE 
docker stop <container-id> && docker rm <container-id>
After running the command, you should see the instance disappear from the UI within a few seconds. Once all instances associated with a specific service principal is uninstalled, the best practice (but not required) is to deprovision the service principal by running the following command:
CODE 
docker run --rm \
  -e TENANT=<tenant-id> \
  -e TOKEN=<access-token> \
  -v $(pwd)/principal.yaml:/opt/splunk-edge/etc/principal.yaml \
  splunk/edge-processor:<image-tag> \
  eptools cleanup
Note: The value for TOKEN is not the same as before. Instead, it is located in the Settings page of your tenant's Cloud Console UI. More specifically, navigate to https://console.scs.splunk.com/{tenant-id}/settings and copy the provided Access Token
Follow these steps to uninstall a containerized Edge Processor instance.
  1. Run the following command to stop and remove the container. Removing the container is optional.
    CODE 
    docker stop <container-id> && docker rm <container-id>
    After you run the command, the instance is removed from the UI after a few seconds.
  2. (Optional) As a best practice, deprovision the service principal after all instances associated with a specific service principal are uninstalled.
    1. Find the new value for TOKEN, which is different from the value used to set up the instance. Go to the Settings page of your tenant's Cloud Console UI at the following URL, https://console.scs.splunk.com/{tenant-id}/settings. Copy the provided Access Token.
    2. Then, run the following command:
    CODE 
    docker run --rm \
  -e TENANT=<tenant-id> \
  -e TOKEN=<access-token> \
  -v $(pwd)/principal.yaml:/opt/splunk-edge/etc/principal.yaml \
  splunk/edge-processor:<image-tag> \
  eptools cleanup

Update to the latest Docker image

As a best practice, use the latest stable container image of Docker when possible. Using the latest image ensures access to updated bug fixes and security patches in the base image's OS, installed dependencies, and Splunk software.
  1. To update your Docker image, either use the latest tag or pick a version from https://hub.docker.com/r/splunk/edge-processor/tags.
  2. Run the following command using the image tag:
    CODE 
    docker pull splunk/edge-processor:<image-tag>
    Note: Pulling a new image doesn't automatically update existing containers. Instead, you must stop, remove, and recreate the container using the pulled image.
After updating your Docker image, you can set up an Edge Processor in a container. See Set up an Edge Processor in a Docker container.

Additional considerations

  • Port changes made using the Edge Processor Shared settings page are not automatically propagated to Docker. When modifying these values, you must manually stop all running containers still bound to the previous ports, recreate them with the new port mappings, then update all affected ingestion flows to target these new ports.

  • Containerizing Edge Processor does not provide any additional control over the deployed binary. The container image version is independent of the Edge Processor binary version, which continues to follow the standard, non-container lifecycle managed by the Edge Processor team.

  • For deployments managed by systemd, use Docker's --restart=always policy when starting an Edge Processor container to ensure automatic recovery after failures or host restarts.