Intro

Splunk is a nifty system that lets you ingest and parse basically any kind of event-based data and then query it to find trends, alerts, and whatever kind of info you want. Lots of companies use it to sift through log data to dig out useful information. Once you learn about it a bit, it's actually much cooler than it sounds at first, and surprisingly versatile. You can use it to crunch lots of different kinds of data.

My company has a big Splunk installation, and my boss wanted me to make use of it in a project. But I'd never used Splunk before so I looked around for some tutorials. Now, most of the Splunk tutorials you come across either assume you already have a Splunk installation to play on or encourage you to install the Splunk software that Splunk makes available on their website (after you create an account, etc) I certainly didn't want to go through tutorial exercises on work's production system, and I also didn't feel like installing software on my development machine. Enter Docker.

One of the great things about Docker is that it's an easy way to try out software without actually installing anything on your system - let's face it, installing software just for testing is messy at best and dangerous at worst. Fortunately, Splunk makes a version of Splunk Enterprise available on Docker Hub. I got it working great for me, but it took a few little tweaks to get it rolling.

Fire it Up

I'm going to assume that you know the basics of Docker and that you have it installed on your system.

1. Go to Docker Hub and log into your account.
2. Find your way to the page for Splunk Enterprise
3. On the right side of the page, you'll see that you have to "buy" the free plan for $0.00. Go to checkout and go through the motions. You don't need a credit card or anything - it's free. Of course, this is just a "trial" version - it starts as a fully-featured Splunk Enterprise, and after a period of time it becomes "Splunk Free" limiting you to 500MB/day. Still plenty of time to run through a few tutorials.

4. Open a command line. We need to make sure we're accessing Docker Hub with the credentials we just used to register for the Splunk image and run:
   
   docker login

5. Let's download the Splunk image:
   
   docker pull store/splunk/splunk:7.3

6. Now we can fire up the container. Three notes:
   a. I have picked a silly password, but it conforms to Splunk's password requirements. If you pick your own, that's fine, but if you don't conform to their requirements, the container will automatically shut itself down.
   b. In addition to the main interface port of 8000, I've also opened the port 8088 which is used for HTTP Event Collection in case you want to play with sending events to Splunk via POST requests. (I did.)
   c. The "start" at the end of the command is necessary. The sample command in their page on Docker Hub doesn't show it.
   
   docker run -d -p 8000:8000 -p 8088:8088 -e SPLUNK_START_ARGS=--accept-license -e SPLUNK_PASSWORD=123ABCdef! store/splunk/splunk:7.3 start

7. Once we run the container, it spits out a big long hex identifier that is the container ID. If you check on the container a few times by running docker container ls it should go from status "starting" to "healthy" within a half minute or so. Once it's healthy, we can try connecting to it by going to http://localhost:8000/ and using the username admin and and the password you passed as the "SPLUNK_PASSWORD" above, in my example 123ABCdef!

Now you should be logged into your local Splunk instance and able to do whatever you want. BE AWARE THAT THIS INSTANCE IS COMPLETELY EPHEMERAL which is to say there is no permanent storage outside of this container - if you load data into it, play around with it, shut it down and drop the container, your data and reports will be GONE. This is strictly for playing around with Splunk and NOT for doing any kind of REAL deployment. That is well beyond the scope of what we're doing here. We just want a Splunk instance to mess with and then throw away.

At this point you could just go ahead and jump into Splunk's Official Tutorial - just remember when you're following the tutorial you're running "Splunk Enterprise" here and not "Splunk Cloud". They'll give you some sample data to upload and off you go!

Shut it Down

When you're all done and want to get rid of it, you can do docker container ls to remind yourself of the Container ID. Then stop it with docker container stop <containerid> and then finally remove the container with docker container rm <containerid>