This project lets you stand up a Splunk instance in Docker on a quick and dirty basis.
But what is Splunk? Splunk is a platform for big data collection and analytics. You feed your events from syslog, webserver logs, or application logs into Splunk, and can use queries to extract meaningful insights from that data.
Paste either of these on the command line:
bash <(curl -s https://raw.githubusercontent.com/dmuth/splunk-lab/master/go.sh)
bash <(curl -Ls https://bit.ly/splunklab)
...and the script will print up what directory it will ingest logs from, your password, etc. Follow the on-screen
instructions for setting environment variables and you'll be up and running in no time! Whatever logs you had sitting in your logs/
directory will be searchable in Splunk with the search index=main
.
If you want to see neat things you can do in Splunk Lab, check out the Cookbook section.
Also, the script will craete a directory called bin/
with some helper scripts in it. Be sure to check them out!
admin
, password is what was set when starting Splunk Lab./etc/hosts
can be appended to with local ip/hostname entriesThese are screenshots with actual data from production apps which I built on top of Splunk Lab:
What can you do with Splunk Lab? Here are a few examples of ways you can use Splunk Lab:
logs/
directory.bash <(curl -Ls https://bit.ly/splunklab)
data/
which will persist between runs.SPLUNK_DATA=no bash <(curl -Ls https://bit.ly/splunklab)
data/
will not be written to and launching a new container will cause logs/
to be indexed again.
SPLUNK_EVENTGEN=1 bash <(curl -Ls https://bit.ly/splunklab)
index=main sourcetype=nginx
. The logs are based on actual HTTP requests which have come into the webserver hosting my blog.ETC_HOSTS=./hosts bash <(curl -Ls https://bit.ly/splunklab)
PRINT_DOCKER_CMD=1
set, and the Docker command line that's used will be written to stdout.This would normally be done with the script ./bin/devel.sh
when running from the repo,
but if you're running Splunk Lab just with the Docker image, here's how to do it:
docker run -p 8000:8000 -e SPLUNK_PASSWORD=password1 -v $(pwd)/data:/data -v $(pwd)/logs:/logs --name splunk-lab --rm -it -v $(pwd):/mnt -e SPLUNK_DEVEL=1 dmuth1/splunk-lab bash
This is useful mainly if you want to poke around in Splunk Lab while it's running. Note that you
could always just run docker exec splunk-lab bash
instead of doing all of the above. :-)
The following Splunk apps are included in this Docker image: