Reading logs with Splunk and Docker

Every now and then, I need to parse through some log files where there are multiple files (like in a core dump or a whole logs directory) — figuratively looking for needle in a haystack.

My work has a Splunk license but I didn’t want to add the logs in and have them be a possible red herring for another if I left them in. So, I used Docker to host a Splunk instance on my Mac. Here’s the instructions on setting it up:

Things you need:

Docker ID and installer.

Steps:

  • Install and setup Docker.
  • Get and install the Splunk repository.
    docker pull splunk/splunk:7.0.0
  • Setup a place on your Mac to drop logs and a place to store configs. I’ll use a base folder of ~/Local in this example.
  • Create the Docker container.
    docker run --name splunk7 -d -v ~/Local/SplunkWatch:/splunkwatch -v ~/Local/DockerData/splunk:/opt/splunk/etc -e "SPLUNK_START_ARGS=--accept-license" -e "SPLUNK_USER=root" -p "8000:8000" splunk/splunk:7.0.0

Login to the frontend at http://localhost:8000. Any logs dropped into ~/Local/SplunkWatch are parsed. Server configs are stored to persist (and be editable) in ~/Local/DockerData/splunk.

For a more GUI interface you can use https://kitematic.com.

Some helpful docker commands:

###list running docker containers
docker ps

### list all docker containers
docker ps -a

### enter docker container
docker exec -it splunk7 /bin/bash

### stop/start docker
docker start splunk
docker stop splunk

### Clean out DB
docker exec -it splunk7 /bin/bash
/opt/splunk/bin/splunk stop
/opt/splunk/bin/splunk clean eventdata
/opt/splunk/bin/splunk start

Leave a Reply