In this section, we will talk about setting up the Splunk Free edition on Docker.

Note: This guide is intended to use in a local lab environment for testing purposes.

The free Splunk version also has a limit on how much data it can index. You may want to get a license from Splunk if you plan to index more data.

If you are looking to configure it in production, reach out to your local partner to deploy a production ready deployment as per your requirements.

Lab Requirements:

• 1x Ubuntu 16.04.x with Docker installed.

Below are the details of the VMs used in this tutorial:

-SSH into your instance (VM2) and run the following:

sudo apt update && sudo apt upgrade -y

-Now, install docker on this VM/instance (if not already installed)

curl -fsSL https://get.docker.com -o get-docker.sh

sudo sh get-docker.sh

sudo usermod -aG docker $USER

- Logout of your SSH session and re-login after running the above.

-Use the following to create a docker “bridge” network and run the following:

sudo docker network create --driver bridge --attachable splunk

sudo docker network ls

-Now, we will create the splunk server and the universal forwarder in docker. To do so, run the following docker commands:

sudo docker run --network splunk --name so1 --hostname so1 -p 8000:8000 -e "SPLUNK_PASSWORD=123splunklabA" -e "SPLUNK_START_ARGS=--accept-license" -it splunk/splunk:latest

-Once it is complete, you should see a message such as below:

-Press CTRL+P and CTRL+Q to escape out of the docker interactive mode so that we can create another container on the same host. (Alternatively, open another SSH session to the CDC VM/instance and continue the following.)

-To verify that the splunk container is up, you can run “docker ps -a” to validate.

-Now, we can run the following to create a Splunk Universal forwarder on the same instance.

sudo docker run --network splunk --name uf1 --hostname uf1 -p 9997:9997 -e "SPLUNK_PASSWORD=123splunklabA" -e "SPLUNK_START_ARGS=--accept-license" -e "SPLUNK_STANDALONE_URL=so1" -it splunk/universalforwarder:latest

Notes:

-Replicate the text in blue as per your requirement.

-Here, the password to login to the splunk UI is set as 123splunklabA. You can change it accordingly. Splunk has a password complexity requirement.

-Once the container has been created you should see the following message “Ansible playbook complete.”

-Press CTRL+P and CTRL+Q to escape out of the docker interactive mode. (Alternatively, open another SSH session to the CDC VM/instance and continue the following.)

-To verify that the universal forwarder is up, you can run “docker ps -a” to validate.

-Here, we can see that both the universal forwarder and the Splunk server container are up and running.

Now, you can access the UI for Splunk using the http://ip-of-box-running-splunk-server:8000

Username: admin

Password: 123splunklabA                                                            <- This is from the value of the variable passed when using the “docker run” command

-This Splunk setup can be used to integrate with our SaaS solutions.

As an example, you can have DNS Data from the CSP portal be send to your Cloud Data Connector and then forward it to another destination such as Splunk. We would recommend you to talk to local Infoblox Sales representative/Accounts team to know more.

We have full use case which documents the configuration and how to integerate CDC with Splunk. You can find it here.

Sources/References:

https://docs.infoblox.com/display/BloxOneDDI/Bare-Metal+Docker+Deployment

https://github.com/splunk/docker-splunk

https://docs.splunk.com/Documentation/Splunk/latest/Installation/SystemRequirements