Beginning Splunk With Docker
Beginning Splunk With Docker
Beginning Splunk With Docker
1
Beginning Splunk With Docker - Vincent Sesto
2
Beginning Splunk With Docker - Vincent Sesto
Contents
Contents 3
Preface 7
What this book covers 7
What you need for this book 8
Who this book is for 8
Conventions 8
Downloading the example code 9
Piracy 9
3
Beginning Splunk With Docker - Vincent Sesto
Appendix 1
Appendix 2
4
Beginning Splunk With Docker - Vincent Sesto
This book has been published in conjunction with Splunk User, Developer,
Administrator Magazine at https://medium.com/splunkuserdeveloperadministrator
5
Beginning Splunk With Docker - Vincent Sesto
6
Beginning Splunk With Docker - Vincent Sesto
Preface
In a perfect world our dev, test and production environments would be
exactly the same, on immutable infrastructure, allowing us to move our
development process like a production line seamlessly through these
environments and into production ready for our users. If issues or bugs with
our code come up, we pick them up as early as possible to make sure our
customer experience is limited to only our best code possible.
Unfortunately, this isn’t a perfect world and bugs creep into our work, our
development environment comes out of step with our production and test
environment, and sometimes we don’t always ship the best code possible.
Hopefully with this book we will start to look at a way to implement Docker
for our development, test and production environments to hopefully make
all of these as identical as possible.
This book hopes to bring you a unique approach to learning Docker as we
will do this in conjunction to implementing Docker with Splunk.
This book is not aiming to provide you with 10,000 hours or courses for you
to master the subjects outlined but instead provide 20 hours of necessary,
deliberate training with a purpose in mind to give you 80% of the
knowledge needed to be proficient at the subject at hand.
7
Beginning Splunk With Docker - Vincent Sesto
Chapter 1, Docker Fundamentals With Splunk, provides you with the basics
to get started using docker as well as using it with Splunk. We also take a
quick look at the Splunk interface with a quick Splunk 101 tutorial.
Chapter 2, Building Splunk Images and Using Dockerfiles, takes you a step
further in implementing Splunk through Docker by providing an indepth look
at implementing environments with Dockerfiles.
Chapter 3, Building Splunk Environments With Docker Compose, then
gives you your next steps in setting up your Splunk network by using
Docker Compose.
Conventions
In this book, you will find a number of text styles that distinguish between
different kinds of information. Here are some examples of these styles and
an explanation of their meaning.
1 <dashboard>
2 <label>SimpleXMLDashboard</label>
8
Beginning Splunk With Docker - Vincent Sesto
SplunkAndDocker
Above you can see that the command itself is in bold, but the output is not.
Piracy
Piracy of copyrighted material on the Internet is an ongoing problem across
all media. We take the protection of our copyright and licenses very
seriously. If you come across any illegal copies of our works in any form on
the Internet, please provide us with the location address or website name
immediately so that we can pursue a remedy.
We appreciate your help in protecting our authors and our ability to bring
you valuable Content.
9
Beginning Splunk With Docker - Vincent Sesto
10
Beginning Splunk With Docker - Vincent Sesto
1
Docker Fundamentals
With Splunk
I am sure that a lot of people would skim past this book thinking “what’s the
point?”, but for me Docker and Splunk can go hand in hand. It can allow
you to test and develop a Splunk App, installation environment or
configuration change, on your desktop, move it into a test environment and
then release to production. It simplifies the process of creating a consistent
environment and limits the chance of your environments changing through
the development process.
In this chapter we are going to get you comfortable with Docker. In this
process we will be using Spunk as our container to give you twice the bang
for your buck.
The aim of this book is to get you working as quickly as possible so, let’s
get started.
11
Beginning Splunk With Docker - Vincent Sesto
From the image above we can see that we use Docker commands from
our host to pull our images from the registry and build and run the
containers on our host, which could be our laptop or development server
or production environment.
Installing Docker
Docker supports a long list of OS’s. For a full list of supported platforms
and how to install. It’s best to go to the official Docker web page and find
your OS. You will also be provided with some in depth instructions on how
to install Docker on your environment at the following url:
https://docs.docker.com/engines/installation/#supported-platforms
12
Beginning Splunk With Docker - Vincent Sesto
● Once you have Docker installed and running on your PC, you can
start by checking the version of docker you are using. You will need
to open a command prompt on your PC or host and simply use the --
version option with the Docker command to do that:
docker --version
The rate of development for Docker over the past few years has been fast
to say the least. In this book we will do our best to ensure that all the
commands and examples will work with at least Docker version 17 or
more recent versions.
13
Beginning Splunk With Docker - Vincent Sesto
● From the output, it looks like things don’t kick off that well with the
“Unable to find image 'hello-world:latest' locally”. All this is
saying is that if we use the run command, if there are no versions of
the docker image on our host, it will be downloaded from the registry.
● Once the image is downloaded, we can then see “Hello from
Docker!”, this is the start of our output for the running container, it
then goes on to provide us with some useful information on Docker
and some examples to take our knowledge further.
● The service provided by the hello-world image has then completed
and we are then provided with our command prompt.
Docker Processes
From our simple hello-world example above we can see straight away that
the process is complete and the container is no longer running. We can
verify this by using the ps docker option in the command line.
14
Beginning Splunk With Docker - Vincent Sesto
● The ps option of the docker command will show all of the running
containers on the host:
docker ps
docker ps -a
● From the output we can from our ps command, we can use the
CONTAINER ID to view the logs from this container. Simply using the
logs option to see what services and process have run as part of the
container:
Our example will simply show the same output that was printed to
screen, but this command is useful for troubleshooting containers that
fail. If a container does not start or run what we hoped it would,
hopefully any errors should come up in our logs.
15
Beginning Splunk With Docker - Vincent Sesto
Docker Images
From our hello-world example, we saw “Unable to find image 'hello-
world:latest' locally” so it needed to be pulled from the registry. In this
instance we have used Docker Hub, which is an online registry that you
can use to pull many of the images available to run different services. We
will show you how to create your own images at a later time, but for now we
will be able to get a lot done by using pre compiled containers that run from
Docker Hub. To access this registry, go to the following domain:
https://hub.docker.com/
● Firstly we can see what images we have available on our current host
by running the images command option.
docker images
We have only pulled one image so far so, hello-world is the only one
visible. As we move along, you will see more images on your host.
● Of course, we can visit a registry like Docker Hub, but from the
command line we can see the type of images available by using the
search command option and specifying the type of image we are
looking for. For our example, let’s search for what we came here for,
and that’s Splunk Docker images.
NAME DESCRIPTION
STARS OFFICIAL AUTOMATED
splunk/splunk The platform for operational
intelligence 47
16
Beginning Splunk With Docker - Vincent Sesto
We can see that our command is using :latest which will download
the latest version onto our environment. Without specifying the
17
Beginning Splunk With Docker - Vincent Sesto
Each part of the image the is pulled down is a layer of the container
image. The bigger the image the more layers it will have, and once
we make a change, we will add new layers ourselves.
● If we run the images command option again, we will now see that we
have two images available to be used:
docker images
We can see from our output that we now have two images
downloaded onto our system, one for hello-world and one for
splunk/splunk.
Docker Containers
So we have our Docker container downloaded and ready to use on our
system, so let’s get started using it. Just like we did earlier, we will use the
run command option to start up our Splunk container, but to get the
container running we will need to add a few more option.
● We need to once again open our command line prompt and start with
the following command:
18
Beginning Splunk With Docker - Vincent Sesto
24d10be49a8dd142b5c64312ca487...c4d7f12ba19bf83b117e8c34
The output gives us an identification hash for our container. With the
run command, we have used the following options:
● The -d option allows us to run the container in detached mode.
This means that the container will run in the background of our
system.
● -e allows us to specify environment variables to start our
container with. In the command above, we are specifying the
SPLUNK_START_ARGS to accept the license terms and
conditions and the SPLUNK_USER variable runs the service in
the container as the root user.
● The -p option allows us to map our ports from the running
container, to the host. In our example we are mapping port
8000 to 8000.
● Finally, the splunk/splunk option is the image we are using for
our container, which we pulled from our registry earlier. If we
had not done this, our output would show the image being
downloaded before our container starts up.
docker ps
19
Beginning Splunk With Docker - Vincent Sesto
● I know you’re still not impressed, but if you open a web browser and
navigate to the following domain, you will see your new Splunk install
ready to be used: http://localhost:8000
If all worked as it should, you will be presented with the first time login
screen and once you have changed your password, you will be
presented with an image similar to the one shown above. A fresh
Splunk install ready to be used.
20
Beginning Splunk With Docker - Vincent Sesto
● There may be a time when we need to get all the relevant details of
our container and the inspect command option gives us a lot of those
details. When we know our container image ID, usually by running
the ps command option, Docker will provide a detailed list of
parameters that the container is being run with:
[
{
"Id":
"72769c19065a76270925ca45c7ca5f511fa58caefa47b72a87ecd88d63
c0d166",
"Created": "2017-05-28T21:34:59.900188891Z",
"Path": "/sbin/entrypoint.sh",
"Args": [
"start-service"
],
...
"IPAddress": "172.17.0.2",
"IPPrefixLen": 16,
"IPv6Gateway": "",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"MacAddress": "02:42:ac:11:00:02"
}
}
}
}
]
21
Beginning Splunk With Docker - Vincent Sesto
Copying '/opt/splunk/etc/openldap/ldap.conf.default' to
'/opt/splunk/etc/openldap/ldap.conf'.
Generating RSA private key, 2048 bit long modulus
...............................+++
If you get stuck, we're here to help.
Look for answers here: http://docs.splunk.com
Once again we have reduced the output from the logs command, but
you will be able to see that it is generating an RSA key and going
through the first time start up processes.
● The history command option is also a good way to see the command
history you have used with a specific container image:
22
Beginning Splunk With Docker - Vincent Sesto
23
Beginning Splunk With Docker - Vincent Sesto
It’s pretty simple, but the command above will run the “touch
/tmp/test.txt” on the running container and create the file that we
want in the tmp directory. The second way that we could use exec is
by parsing in the -it options to bring you into an interactive shell. We
also need to specify the shell that we would like to use when
interacting with the container:
This then allows you to access the container as you normally would
access a server within the command line.
docker rm <container_id>
● If you realise the specific image you are using may need to be
updated or you wish to clear up some space on your environment,
24
Beginning Splunk With Docker - Vincent Sesto
using the rmi command option will let you remove any specific
images needed.
We can use this to start configuring our Splunk environment when you
bring up the container. We will do this a lot more efficiently in the next few
chapters but for now we will use the run command option and use a
mounted volume to help change our configuration.
1. First log into your environment at the command prompt and make
sure there are no Splunk containers currently running.
2. For our example we are going to stop Splunk from showing us the
“First Time Login” screen when we open our web browser to access
the web interface. To do this, we need to create an empty file called
25
Beginning Splunk With Docker - Vincent Sesto
“.ui_login”, we will create it in the tmp directory, but you can place it
anywhere you have access to it.
touch /tmp/.ui_login
This time, instead of being presented with the “First Time Login” screen,
we get a normal login prompt. We still need to enter the admin username
and changeme password to login, but as you can see, this is an easy way
that we can start to change the configuration of our application when we
start it up as a Docker container.
Remember that we have only mounted one file, if we mounted the entire
directory, all of the files in the directory would be added to your container,
which could cause problems if there are files in there that are not needed.
26
Beginning Splunk With Docker - Vincent Sesto
In the next example we will copy the data from our Splunk container
running, create a data container with it and then restart our Splunk
container using that data.
1. If you haven’t already, log into your environment and access the
command line.
2. If you don’t have a Splunk container running, start on up now with the
following command:
3. Once you have this running and you have logged in, we can take a
copy of the running configuration files located in the /opt/splunk/etc/
directory with the docker cp command.
docker cp <container_id>:/opt/splunk/etc/
/tmp/data-store/
4. We can now create a container to store that data for our splunk
environment. With the create Docker command option.
27
Beginning Splunk With Docker - Vincent Sesto
In our example we are calling our new container data-store and using
the busybox image to reduce the amount of space that the container
will take up.
5. We can now need to stop our Splunk container with the kill command
option and then start it up again, this time we will be using the --
volumes-from flag to use our data store container:
28
Beginning Splunk With Docker - Vincent Sesto
4. Once logged in click on the Settings menu and select Add Data.
5. Then click on the Monitor icon and select HTTP Event Collector.
6. You will then be presented with the screen below where you can
enter a name for your token that you will assign to your logging
instance. As you can see our token is called DockerToken and I have
left all other options blank. You can also select the defaults for the
following screen as well.
7. Once complete you will be assigned a token value, with the one that I
created was 85CD93B0-6C66-4AD1-ACC3-65180B5ADE1E
29
Beginning Splunk With Docker - Vincent Sesto
8. Now we can run a different type of service and have these logs
moved into our Splunk instance. For our example, we are going to set
up a basic nginx web server.
You will notice that we are running the new container and exposing
port 80, but there are other command line arguments that are specific
to Splunk.
● --log-driver=splunk is pretty self-explanatory, and tells our
new container that it will be using Splunk.
● All other options are prefixed with --log-opt, such as splunk-
token which provides the token that we have just created on
our Splunk server.
● splunk-url is the domain or IP address and port that we are
using to connect to our Splunk server.
● And finally we set splunk-insecureskipverify to true to skip
some extra security controls that are not needed at the
moment.
30
Beginning Splunk With Docker - Vincent Sesto
We can now move to our Splunk instance and verify that we are
receiving data and indexing it. Open the search interface and search
for the HTTP Event token with the following search query.
source=”http:DockerToken”
Summary
Hopefully we have been able to keep your attention and keep things
moving at a pretty fast pace. There is a lot that we have gone through to
31
Beginning Splunk With Docker - Vincent Sesto
get you started with the basics of Docker and Splunk and in our next
chapter we are going to move further with both and start to streamline our
automation with Dockerfiles. Below is a summary of all the commands used
in the chapter for you to refer to if you need them.
32
Beginning Splunk With Docker - Vincent Sesto
33
Beginning Splunk With Docker - Vincent Sesto
34
Beginning Splunk With Docker - Vincent Sesto
2
Building Splunk Images
And Using Dockerfiles
We’re going to move into automating our processes by starting to use
Dockerfiles with our Splunk Docker projects. Dockerfiles allow us to move
to specifying a lot of the information and configurations that we need to set
up our images in a state that we would like them to look before we run
them. This means that we can limit the amount of information we need to
present as command line options and have our services in a more reusable
state.
In the following chapter we are going to continue using Docker but get
straight into using Dockerfiles to help us with creating our images. We will
also look at setting up and running a Splunk App on our container and
moving our images to Docker Hub so we can allow other people to use
them.
Introducing Dockerfiles
In its simplest terms, a Dockerfile is a recipe of steps on how you would
define your Docker image. We take a plain text file called “Dockerfile” and
list all of the details and commands of our image, which we then use the
build Docker command option to build that into an image which we can
then run on our system.
1. Log onto your environment and make sure that we have no Splunk
containers running.
35
Beginning Splunk With Docker - Vincent Sesto
2. Create a directory that you can set up your Docker project and then
change into it. In our example, we will call it DockerSplunk.
touch .ui_login
4. Open your favorite text editor and create a new file in the
DockerSplunk directory called Dockerfile and add the following lines
of code.
1 FROM splunk/splunk:latest
2 MAINTAINER vince.sesto@gmail.com
3
4 # Set up environment variables
5 ENV SPLUNK_START_ARGS --accept-license
6 ENV SPLUNK_USER root
7
8 # Copy ui_login to stop the first time login
screen
9 COPY .ui_login /opt/splunk/etc/.ui_login
36
Beginning Splunk With Docker - Vincent Sesto
● We leave some white space for line three and then we have a
comment in line four using the hash character, similar to other
scripting languages.
● Line five and six then define our environment variables the
same way that we did in our command line in chapter one, but
in the Dockerfile we use the ENV instruction.
● After some more white space and another comment and then in
line nine we then use COPY to add in the empty .ui_login file
that we just created into the /opt/splunk/etc/ directory of our
new container image.
Make sure you don’t include the line numbers at the start of each line.
This is just to help us refer back to them at a later time.
5. We can then build our Docker image using the build Docker option.
Below we are also going to label the image with the -t flag and
specify the name “splunkhost”. We also use the period(.) to specify
that the Dockerfile in our current directory be used for the build.
37
Beginning Splunk With Docker - Vincent Sesto
6. We can now use our run Docker command to run the image that we
have just created, but unlike on previous instances we can now limit
the number of command line options needed to run the container:
This is also a perfect use case for extending our Dockerfile. In the next few
pages we are going to keep moving with our Docker image and create a
basic Splunk App that we will be able to develop and test using Docker as
the medium to speed things up and enhance our development experience.
38
Beginning Splunk With Docker - Vincent Sesto
We will get started now with the basic shell of our Splunk App, and
remember that all of the code can be downloaded from the GitHub repo at
the following location:
https://github.com/vincesesto/beginningsplunkwithdocker.git
1. Once again log onto your system and access the DockerSplunk
directory that we created previously.
tree
.
├── Dockerfile
└── mood_radiator
├── default
└── metadata
mkdir -p mood_radiator/default;
mkdir -p mood_radiator/metadata
We will give you some more details on what the “Mood Radiator”
Splunk App, but for now, continue to create the basic shell of our
app.
39
Beginning Splunk With Docker - Vincent Sesto
1 #
2 # Splunk app configuration file
3 #
4
5 [install]
6 is_configured = 0
7
8 [ui]
9 is_visible = 1
10 label = Mood Radiator
11
12 [launcher]
13 author = <enter_your_name>
14 description =
15 version = 1.0
The code above is simply adding in our labels for our app, naming it,
showing who the author and giving a version.
4. Next set up the metadata for our Splunk app by creating the
default.meta file in the mood_radiator/metadata/ directory.
1
2 # Application-level permissions
3 []
4 access = read : [ * ], write : [ admin, power ]
5
6 ### EVENT TYPES
7 [eventtypes]
8 export = system
9
10 ### PROPS
40
Beginning Splunk With Docker - Vincent Sesto
11 [props]
12 export = system
13
14 ### TRANSFORMS
15 [transforms]
16 export = system
17
18 ### LOOKUPS
19 [lookups]
20 export = system
21
22 ### VIEWSTATES
23 [viewstates]
24 access = read : [ * ], write : [ * ]
25 export = system
This is where we set up some of the permissions of the new app and
what users are able to do.
5. We have now set up the shell of our new Splunk App and we can
now add the details to our Dockerfile to make sure that our new
container build with it. Open the Dockerfile in your text editor and add
the next two lines to the bottom of the the file.
6. Just as we did earlier, we can run the build Docker command again
to build the container with the new features.
41
Beginning Splunk With Docker - Vincent Sesto
Our image builds and as you can see from the output above we now
see an extra step that we did not see before:
The image below shows what our hard work has given us. Not much
but in left menu we can now see our new Splunk App called “Mood
Radiator” listed in there.
42
Beginning Splunk With Docker - Vincent Sesto
We have done all of this in a limited amount of time and with less that fifty
lines of code.
The Mood Radiator Splunk App was set up as a way to gauge team and
developer sentiment towards their work or a specific project.
1. Once again start by logging onto your system and access the
DockerSplunk directory that we created previously.
2. Open the Dockerfile in your text editor and add the next two lines to
the bottom of the the file.
43
Beginning Splunk With Docker - Vincent Sesto
14 # In case we need it
15 RUN apt-get update && apt-get install -y vim
Once again, it’s not too complicated where we can see that we have
added in a command and then by using RUN, we perform and apt-get
update and if that is successful, we then perform an apt-get install -y
vim.
3. Just as we did earlier, we can run the build Docker command again to
build the container with the new features.
…
Step 7/7 : RUN apt-get update && apt-get install -y vim
---> Running in 6bf027880045
Get:1 http://security.debian.org jessie/updates InRelease
[63.1 kB]
Get:2 http://security.debian.org jessie/updates/main amd64
Packages [519 kB]
…
Running hooks in /etc/ca-certificates/update.d....done.
---> d280b9580a21
Removing intermediate container 6bf027880045
Successfully built d280b9580a21
Once again, we have reduced the output that is displayed to the screen as
there is a lot. With our new step added, we can see that the apt-get update
and then install is run by Docker to build our new image.
44
Beginning Splunk With Docker - Vincent Sesto
4. We can now set up our inputs.conf file which will set up the
sourcetype and location so Splunk will know where to index the data.
With your text editor save the following text.
1
[monitor:///opt/splunk/etc/apps/mood_radiator/showMood.
log]
2 disabled = false
3 sourcetype = moodLog
1 [moodLog]
2 DATETIME_CONFIG =
3 NO_BINARY_CHECK = true
4 category = Custom
5 pulldown_type = true
6. While we are here, we might as well add in the main dashboard that
uses the data that we are about to index. First we need to add the
45
Beginning Splunk With Docker - Vincent Sesto
navigation xml file to make sure that our new dashboard loads when
we enter the app. First you will need to make sure the nav director is
available.
mkdir -p mood_radiator/default/data/ui/nav/
7. We can now add in a new navigation xml. Open your text editor and
save the following text as default.xml in the
mood_radiator/default/data/ui/nav/ directory.
1 <nav>
2 <view name="flashtimeline"/>
3 <view name="MoodRadiator" default='true' />
4 <view name="information" />
5 </nav>
8. Now create a views directory for all our dashboards to now live.
mkdir -p mood_radiator/default/data/ui/views/
9. The actual dashboard code is over 100 lines in length so we will not
go through all of the text, but copy the dashboard from our GitHub
repository and add it to the mood_radiator/default/data/ui/views/
directory. It should look similar to the following condensed code.
1 <dashboard>
2 <label>MoodRadiator</label>
3 <row>
4 <panel>
5 <chart>
6 <title>Your Mood</title>
7 <search>
46
Beginning Splunk With Docker - Vincent Sesto
8 <query>sourcetype=moodLog |
…
111 </chart>
112 </panel>
113 </row>
114 </dashboard>
If all went to plan you should see the following dashboard presented
when we load the Mood Radiator Splunk App.
47
Beginning Splunk With Docker - Vincent Sesto
By utilizing a service like GitHub, it will mean that we can perform daily
builds with our code to make sure that everything is working as it should.
We make changes, commit and then we are able to build the code into an
environment that is closely matched to our production environment to
make that the changes taking place are not causing any issues with our
code.
Although you can create your own registry that is not available to others in
a dedicated environment or on AWS, we will not cover this aspect but
instead show you how to utilize Docker Hub for your images.
48
Beginning Splunk With Docker - Vincent Sesto
1. Start by opening a web browser and accessing the Docker Hub web
page at the following url: https://hub.docker.com
2. If you don’t have an account already, create one. Don’t worry, unless
you need to really use it for business purposes, the service is free
and you should still be able to do quite a bit with a free account.
3. Once you are logged in, you will see a big blue button with “Create
Repository” on it. We could simply store our image in our base
repository, but if we create a new repo it will be nicer to show other
users. Click on Create Repository and you will be presented with a
similar for as the one below.
4. As you can see from the image above, I have added the repository
name of “dockersplunkapps” and provided a brief description. I am
49
Beginning Splunk With Docker - Vincent Sesto
also going to leave the visibility as public, but that is your choice.
Then click on create.
docker images
As you can see above, we have two images, splunkhost is the image
that we have just created and the other is the original Splunk image
that we created it from.
export DOCKER_ID_USER=”dockerhub_login_name”
50
Beginning Splunk With Docker - Vincent Sesto
8. Then we use the login Docker command to login via the command
line.
docker login
Login with your Docker ID to push and pull images from
Docker Hub. If you don't have a Docker ID, head over to
https://hub.docker.com to create one.
Username (dockerhub_login_name):
Password:
Login Succeeded
9. We need to now tag our image that we wish to push to the repository.
This is so Docker Hub will know where to store it.
As you can see we have used the splunkhost image and named it the
same as the repository that we created.
10. We can also see the tag that we have made by using the
images command again.
docker images
REPOSITORY TAG
IMAGE ID CREATED SIZE
splunkhost latest
7241fea52165 22 minutes ago 744 MB
vincesesto/dockersplunkapps latest
7241fea52165 22 minutes ago 744 MB
splunk/splunk latest
cf104961b12b 6 hours ago
51
Beginning Splunk With Docker - Vincent Sesto
11. We can now push our image to Docker Hub with the following
command.
If all goes well, we should now see the new image pushed to our
repository. To verify that this has been successful, access the web
interface again for your repository and click on the Tags tab, which should
display that you have recently pushed a new image.
52
Beginning Splunk With Docker - Vincent Sesto
1. We will need to pull down the busybox image from Docker Hub and
this can be done as usual with the run Docker option.
docker ps
53
Beginning Splunk With Docker - Vincent Sesto
3. We can now access the running container with the exec Docker
command option and interact with the environment as we would a
normal server.
bin dev etc home proc root sys tmp usr var
As you can see the second ls command is now showing an extra file
named test.txt.
54
Beginning Splunk With Docker - Vincent Sesto
docker images
REPOSITORY TAG IMAGE ID
CREATED SIZE
busychanges latest ab6db1a204f3 4
seconds ago 1.11 MB
busybox latest c75bebcdd211 3
weeks ago 1.11 MB
8. We saw how we can move our image into a repository, but what you
can also do is copy it to a file and then restore from that file. We copy
our image to a file with the save Docker command option.
9. To test this out, we can now kill all our running containers and
remove all of the images.
In the above command we can kill all of the image id’s for the running
docker containers, with the ps -a -q, and then do the same with our
images with the images -q command.
10. Now that we have no more images left on our system, we can
use our busychanges.tar archive with the load Docker command
option to add it back into our system.
docker images
REPOSITORY TAG IMAGE ID
CREATED SIZE
55
Beginning Splunk With Docker - Vincent Sesto
You can now see that once loaded back into our system, the
busychanges image is now available again for us to create a
container with the changes that we made earlier.
This book tries to help you learn by using examples, so by now you
should be aware of the fact the basic format of the Dockerfile is:
# Comment
INSTRUCTION argument
The following pages are a few of some of the more common Dockerfile
instructions that you will need to know.
● You can define what you would like your escape character to be by
using the # escape= instruction at the start of your Dockerfile. In the
example below, we set our escape value to the slash character.
# escape=\
● Not to be added as part of our Dockerfile, but part of the directory that
we set up our Dockerfile in, the .dockerignore can add a list of files to
ignore when running the COPY or ADD instructions in the Dockerfile.
56
Beginning Splunk With Docker - Vincent Sesto
LABEL “label1”=”value1”
USER splunk
57
Beginning Splunk With Docker - Vincent Sesto
● You can change the directory that your RUN, CMD or ENTRYPOINT
instructions run from by using the WORKDIR instruction.
WORKDIR /opt/splunk/
Summary
This time we have been using Dockerfiles to create our Docker images and
we have introduced you to a lot of the functionality that Dockerfiles can
bring to your system and set up. We have looked at how we can use
Dockerfiles to create and configure Splunk apps and have extended our
app and also included some test data that we have indexed in our
container. We also have a look at the ways that we can package our
containers for other people to use, both with the commit Docker command
option and by using Docker Hub.
In our next chapter we are going to continue to work with our environment
but we are going to start to use Docker Compose to help automate our
process.
58
Beginning Splunk With Docker - Vincent Sesto
This book has been published in conjunction with Splunk User, Developer, Administrator
Magazine at https://medium.com/splunkuserdeveloperadministrator
59
Beginning Splunk With Docker - Vincent Sesto
60
Beginning Splunk With Docker - Vincent Sesto
3
Building Splunk Environments
With Docker Compose
We’ve covered a lot of ground and we’re doing our best to build on our knowledge that
each chapter has provided us. We have moved from single commands, to Dockerfiles to
build and run images and now we are going to use Docker Compose to streamline the
process even further and allow us to define multi container Docker applications. In the
next section we are going to define our Splunk environment and then start all of the
services running with one command.
The cool thing about Docker Compose is that all of the work we have done so far is not
wasted. We will use the Dockefiles that we have been working with to incorporate them
into our new environment. Let’s not waste any more time and get started.
docker-compose --version
docker-compose version 1.13.0, build 1719ceb
For a full list of supported platforms and how to install. It’s best to go to the
official Docker Compose web page and find your OS. You will also be
provided with some in depth instructions on how to install it on your
environment at the following url.
https://docs.docker.com/compose/install
61
Beginning Splunk With Docker - Vincent Sesto
As with the version of Docker, we will do our best to make sure that the
work we do is as current as possible with all commands and examples
working with Docker Compose version 1.13.0 or more recent versions.
docker-compose.yml
This is a YAML format file that is used to provide our instructions on how
we want to set up our environment. So let’s not get delayed with theory and
make a start.
1. Log back into your system that you were working and we will continue
to work from the DockerSplunk directory that we have already been
using in the previous chapters.
2. Using your favorite text editor we are going create our new compose
file in the DockerSplunk directory as we said earlier, called docker-
compose.yml.
3. There will not be too much to our first compose file, but enter in the
following six lines of code:
1 version: '3'
2 services:
3 splunkhost:
4 build: .
5 ports:
62
Beginning Splunk With Docker - Vincent Sesto
6 - "8000:8000"
docker-compose up -d
Here we use the up option to create and build our container and the -
d option to run it in detached mode.
You will notice that the output is slightly different to when we ran our other
commands but by the end of it you will have your Splunk server running as
we did from our Dockerfile in the last chapter. If we run the ps Docker
command, we should see our running server and we should also be able to
log in.
63
Beginning Splunk With Docker - Vincent Sesto
Now we have defined all of the build and run options in either our
Dockerfile and now in our docker-compose.yml file, so all we are now doing
is running the following.
docker-compose up -d
In our next piece of work, we should look at how we can use our docker-
compose.yml file to define our environment from scratch.
64
Beginning Splunk With Docker - Vincent Sesto
3. We are going to remove lines 3 to 6(4 lines in total), and then replace
them with the following code.
3 splunkserver:
4 hostname: splunkserver
5 image: splunk/splunk
6 environment:
7 SPLUNK_START_ARGS: --accept-license --
answer-yes
8 SPLUNK_ENABLE_LISTEN: 9997
9 SPLUNK_USER: root
10 ports:
11 - "8000:8000"
12 - "9997:9997"
13 - "8088:8088"
14
By now, I think you would be able to walk through all of this and know
exactly what it does, but just to be safe:
● We are naming our service and host splunkserver in lines three
and four.
● In line five we get to define the image that we will be using,
just as we would use the FROM instruction in a Dockerfile.
● Lines six to nine are then defining the environment variables
for our host, alternatively using ENV in a Dockerfile.
● Lastly lines ten to fourteen let us bind and map all of the ports
that we need to open up and have available for our service to
work.
docker-compose up -d
65
Beginning Splunk With Docker - Vincent Sesto
There will be one main difference that you need to remember when
the container starts up is that we have not set up a .ui_login file so
you will be presented with the “First Time Login” screen when you
open it in a browser.
2. Let’s also start up our Splunk server so we can set up our HTTP
Event Collector.
docker-compose up -d
3. If you can’t remember how to, go back to first chapter and set up
HTTP Event Collector as we specified in the “Indexing Container
Data” section.
4. Run the inspect Docker command option and view the network
details of the running Docker container. To limit the amount of output
we see, we can use the --format flag and specifiy the exact
information we need.
66
Beginning Splunk With Docker - Vincent Sesto
5. Once we have our Splunk Token and the IP address that the Splunk
server is running on, open the docker-compose.yml file with your text
editor and move to the bottom of the file and add in the following lines
of code.
15 nginx:
16 hostname: webserver
17 image: nginx
18 ports:
19 - "80:80"
20 logging:
21 driver: splunk
22 options:
23 splunk-url: https://172.18.0.2:8088
24 splunk-token: 85CD93B0-6C66-
4AD1-ACC3-65180B5ADE1E
25 splunk-insecureskipverify: 'true'
6. We can now run our compose command and in this instance, we are
just going to specify the new Nginx service we have added.
docker-compose up -d nginx
source=”http:DockerToken”
By now I am hoping that you can see the power of what you can do with
Docker Compose. Especially if you are familiar with Splunk environments,
the first thought that has probably popped into your head is that you should
be able to configure a fully clustered environment from Docker Compose.
67
Beginning Splunk With Docker - Vincent Sesto
Well the good news is that you can, but it may be a little more advanced for
this tutorial, but hopefully we will get you on your way in the next few pages
to help you achieve something like that.
If you haven't heard of the YAML file format before, it’s a human-readable
data serialization language, which is commonly used for configuration
files, but could be used anywhere data is being stored. The main thing
you need to know is that each item is differentiated by the whitespace or
indentation between them. We have done our best to make sure that all
the examples show the correct format for the values, but this can get
mixed up in the publication process.
If you are in doubt at all, please make sure you download the examples
from Github as these will have the correct and working format.
2. Use your text editor and once again we are going to edit our docker-
compose.xml file.
3. Let’s remove our Nginx host for now, so remove all of the commands
after line 14.
68
Beginning Splunk With Docker - Vincent Sesto
4. We will first add some more instructions to our Splunk server. Add the
text below to give the container a label and to set up a network that it
can use.
15 labels:
16 splunk.env: "splunkserver"
17 networks:
18 splunk:
19 aliases:
20 - splunkserver
21
22 splunkforwarder:
23 image: splunk/universalforwarder
24 hostname: splunkforwarder
25 environment:
26 SPLUNK_START_ARGS: --accept-license --
answer-yes
27 SPLUNK_FORWARD_SERVER: splunkserver:9997
28 SPLUNK_USER: root
This is the first half of our forwarder set up, and is very similar to our
server details. Here we name the service, provide a hostname, image
and environment variables. As you can see in line 27, we specify
where our data will be forwarded to using the hostname value that we
specified for the server, with no need for the actual IP address.
6. Now place in the second part of the forwarder code to specify the
labels and the network details for the host.
69
Beginning Splunk With Docker - Vincent Sesto
29 labels:
30 splunk.env: "splunkforwarder"
31 networks:
32 splunk:
33 aliases:
34 - splunkforwarder
7. We have been using the network instructions for both the server and
the forwarder. These will not work without setting up the basic
network labels for it to use. So, finally add the following lines to our
compose file to complete the network.
35
36 networks:
37 splunk:
docker-compose up -d
9. If you now look to see what Docker containers are running, we will be
able to see two containers running and nicely named:
dockersplunk_splunkserver_1
dockersplunk_splunkforwarder_1
docker ps
CONTAINER ID IMAGE COMMAND
CREATED STATUS PORTS
NAMES
bf1bd894e56c splunk/splunk
"/sbin/entrypoint...." 7 seconds ago Up 6 seconds
0.0.0.0:8000->8000/tcp, 1514/tcp, 8089/tcp, 0.0.0.0:8088-
>8088/tcp, 8191/tcp, 0.0.0.0:9997->9997/tcp
dockersplunk_splunkserver_1
70
Beginning Splunk With Docker - Vincent Sesto
09ff4b23560f splunk/universalforwarder
"/sbin/entrypoint...." 7 seconds ago Up 6 seconds
1514/tcp, 8088-8089/tcp
dockersplunk_splunkforwarder_1
10. We can double check to make sure the servers are all working
correctly by logging onto our Splunk server and going to the search
screen. Splunk keeps an internal index of all data moving between
hosts in an environment. We can see this by entering the following
into the search bar.
index="_internal"
11. On the left of the search screen, Splunk will provide you with
selected fields that you can search against. If you click on the host
field, you will notice that there are two entries, one for each of our
new containers.
71
Beginning Splunk With Docker - Vincent Sesto
Secondly, the log files for our containers are usually not being stored on
our containers as this would also increase the size of our image. Instead
the logs will be stored on the host file system under the directory
/var/lib/docker/<container_id>/<container_id>-json.log. This is why we
need to specify a change to our log driver as we did in our previous
examples with Nginx.
So let’s add one to our compose file for the work that we are currently
doing. We will be able to move some of the code away from our compose
file and onto a configuration file.
72
Beginning Splunk With Docker - Vincent Sesto
2. Currently lines seven to ten outline all our environment variables for
our Splunk server. We are going to replace these with an env_file. So
start by removing those four lines.
7 env_file:
8 - splunkserver.env_file
4. Save the file, and the Splunk service should look similar to the lines
below.
4 splunkserver:
5 image: splunk/splunk
6 hostname: splunkserver
7 env_file:
8 - splunkserver.env_file
9 ports:
10 - "8000:8000"
11 - "9998:9998"
12 - "8088:8088"
13 labels:
14 splunk.env: "splunkserver"
15 networks:
16 splunk:
17 aliases:
18 - splunkserver
1 SPLUNK_START_ARGS=--accept-license --answer-yes
--no-prompt
73
Beginning Splunk With Docker - Vincent Sesto
2 SPLUNK_BEFORE_START_CMD_1=version
$SPLUNK_START_ARGS
3 SPLUNK_BEFORE_START_CMD_2=cmd python
/opt/splunk/bin/splunk_setup.py --configure
docker-compose up -d
74
Beginning Splunk With Docker - Vincent Sesto
35 volumes:
36 - datavolume:/opt/splunk/etc
37 depends_on:
38 - datavolume
4. Then move below the forwarder and we need to now set up the
datavolume service with the following code.
39
40 datavolume:
41 image: busybox
42 volumes:
43 - datavolume:/opt/splunk/etc
This is simply creating a basic container with the busybox image and
setting up the volume that the forwarder will use.
44
45 volumes:
46 datavolume:
docker-compose up -d
docker volume ls
75
Beginning Splunk With Docker - Vincent Sesto
8. Again we can use the exec Docker command option to create some
files on our forwarder.
10. If we now run the compose command, we will see that only the
forwarder needing to be started up.
11. Once the forwarder is back up again, we can now access it and
see if our test file has remained on the file system.
76
Beginning Splunk With Docker - Vincent Sesto
Although this is a very simply example, it means that we can start to use
persistent storage and containers for our configurations and if we needed
to, our indexed data.
Summary
Our work with Docker Compose has been brief but I am hoping it has been
worthwhile. We have seen how we can set up basic, one container
environments from scratch and by using existing Dockerfiles. We then
moved onto setting up Splunk environments with forwarders and Nginx
hosts.
Finally we took a look at moving some of the complexity away from our
compose file by using dedicated environment files as well as moving
persistent data onto volumes.
I hope you have been able to create a solid foundation of knowledge for
both Splunk and Docker even though we have only spent a short time
working. We worked hard on the first chapter to create and configure your
Docker containers from the command line, and worked on basic
configuration of the Splunk environment. We then started working with
Dockerfiles in chapter 2. This enabled us to further configure our Docker
containers and allow us to set up Splunk app and even index some sample
data that we were able to test our Splunk app with. Finally, we took a look
at Docker Compose and showed how we can use existing Dockerfiles to
work with the compose file, as well as setting an environment up from
scratch. We also looked at networks and keeping persistent data with
volumes.
Although we are at the end of this book, please note that there are two
appendix providing information on basic Splunk web interface usage,
including Splunk query language, and there is also a summary of all the
Docker commands used through this book.
77
Beginning Splunk With Docker - Vincent Sesto
78
Beginning Splunk With Docker - Vincent Sesto
79
Beginning Splunk With Docker - Vincent Sesto
80
Beginning Splunk With Docker - Vincent Sesto
Appendix 1
The Splunk
Web Interface
The following appendix is a guide to getting started with the Splunk Web
interface and tries to give you a quick rundown of how to administer and
search within the environment.
1. This is the Splunk welcome icon, if you want to return to the welcome
screen at any time, click on this icon.
2. This allows you to manage and configure your Splunk Apps. It also
allows you to install and search for new apps available.
81
Beginning Splunk With Docker - Vincent Sesto
3. The App menu displays all of the installed apps you have on your
environment and allows you to move them around to fit your needs.
4. This is a collapsible panel which provides useful tutorials and
information to new users.
5. Currently empty, but this is where you can display your default
dashboard.
6. This is your menu bar providing you with different menus allowing
you to manage and configure your environment.
82
Beginning Splunk With Docker - Vincent Sesto
One really great thing about Splunk is that, when you are using the web
interface all of the forms are self explanatory and easy to use.
● Upload allows you to search for specific files and directories to index
data once or monitor the files or directories and update your index as
they update.
● Monitor controls streaming data coming into your system such as the
HTTP Event Collector we have been working with in this book, UDP
or TCP data coming into the environment, as well as collecting data
using scripts for API’s or databases.
● Forward allows you enable and configure forwarders to send data
into your environment.
83
Beginning Splunk With Docker - Vincent Sesto
84
Beginning Splunk With Docker - Vincent Sesto
85
Beginning Splunk With Docker - Vincent Sesto
Stats
The stats function is used to aggregate statistics over the search results we
have previously found. For example, if we wanted to see the number of
errors by host, we would pipe our outputted results into | stats count by
host…the complete search would look similar to the search below:
index=* ERROR* | stats count by host
86
Beginning Splunk With Docker - Vincent Sesto
Chart
The chart function is considered a transformation command as it returns its
results in a table format. Much like stats these values can then be used in a
chart or visualization.
index=* ERROR* | chart values(process) by date_minute
Timechart
The timechart function allows you to create a time series chart with the
defined table of statistics. Even though you can create these charts with the
87
Beginning Splunk With Docker - Vincent Sesto
88
Beginning Splunk With Docker - Vincent Sesto
Appendix 2
Docker Command
Summary
Chapter 1 Summary of Commands
Display the Version of Docker running on your system.
docker --version
Search for a Docker image or type that you need from Docker Hub.
docker search <image_name>
89
Beginning Splunk With Docker - Vincent Sesto
Tag your image on your local host ready to push to Docker Hub.
90
Beginning Splunk With Docker - Vincent Sesto
Kill all running containers, remove all stopped containers and remove
all Docker images on your system.
docker kill $(docker ps -q); docker rm -f $(docker
ps -a -q) docker rmi -f $(docker images -q)
Use Docker Compose to build and run your compose file in detached
mode.
docker-compose up -d
91
Beginning Splunk With Docker - Vincent Sesto
92