Every now and then, I need to parse through some log files where there are multiple files (like in a core dump or a whole logs directory) — figuratively looking for needle in a haystack.
My work has a Splunk license but I didn’t want to add the logs in and have them be a possible red herring for another if I left them in. So, I used Docker to host a Splunk instance on my Mac. Here’s the instructions on setting it up:
Things you need:
Docker ID and installer.
Steps:
- Install and setup Docker.
- Get and install the Splunk repository.
docker pull splunk/splunk:7.0.0
- Setup a place on your Mac to drop logs and a place to store configs. I’ll use a base folder of ~/Local in this example.
- Create the Docker container.
docker run --name splunk7 -d -v ~/Local/SplunkWatch:/splunkwatch -v ~/Local/DockerData/splunk:/opt/splunk/etc -e "SPLUNK_START_ARGS=--accept-license" -e "SPLUNK_USER=root" -p "8000:8000" splunk/splunk:7.0.0
Login to the frontend at http://localhost:8000. Any logs dropped into ~/Local/SplunkWatch are parsed. Server configs are stored to persist (and be editable) in ~/Local/DockerData/splunk.
For a more GUI interface you can use https://kitematic.com.
Some helpful docker commands:
###list running docker containers docker ps ### list all docker containers docker ps -a ### enter docker container docker exec -it splunk7 /bin/bash ### stop/start docker docker start splunk docker stop splunk ### Clean out DB docker exec -it splunk7 /bin/bash /opt/splunk/bin/splunk stop /opt/splunk/bin/splunk clean eventdata /opt/splunk/bin/splunk start