search

splunk / docker-splunk

Splunk Docker GitHub Repository
469 stars 257 forks source link

SPLUNK_ADD, SPLUNK_CMD, SPLUNK_APPS_URL not working #38

Closed cocowalla closed 6 years ago

cocowalla commented 6 years ago

I'm trying out Splunk with Docker Compose. My environment section looks like:

environment:
  - SPLUNK_ROLE=splunk_standalone
  - SPLUNK_PASSWORD=MySuperSecurePasswordHere
  - SPLUNK_START_ARGS=--accept-license
  - SPLUNK_HOME=/opt/splunk
  - SPLUNK_APPS_URL=https://splunkbase.splunk.com/app/978/

  - SPLUNK_ADD=udp 1514 -sourcetype syslog
  - SPLUNK_ADD_1=tcp 1514 -sourcetype syslog

  - SPLUNK_CMD=add udp 1514 -sourcetype syslog

The password is set as expected, but the specified app doesn't get installed, and no inputs are added (I tried both SPLUNK_ADD and SPLUNK_CMD to add them).

Full log from docker service logs -f sinks_splunk doesn't show anything about SPLUNK_ADD, SPLUNK_CMD or SPLUNK_APPS_URL.

arctan5x commented 6 years ago

Hi. Currently, SPLUNK_ADD and SPLUNK_CMD are only universal forwarder supported variables. SPLUNK_APPS_URL is currently not a supported variable.

aegershman commented 6 years ago

For SPLUNK_APPS_URL see https://github.com/splunk/docker-splunk/issues/14

cocowalla commented 6 years ago

My mistake, entrypoint.sh mentions SPLUNK_APPS_URL, so I just assumed it was in use.

Is there a supported way to add inputs to a standalone instance using config?

tuckcodes commented 4 years ago

SPLUNK_APPS_URL seems to not work for anything with splunk/splunk:latest

Should it be operational at this point? Hard to tell from the github issues.

nwang92 commented 4 years ago

@tuckcodes could you run a docker pull splunk/splunk:latest? I'm seeing this to be successful now. The image you should have is:

REPOSITORY            TAG            IMAGE ID
splunk/splunk         latest         04265955acc7
tuckcodes commented 4 years ago

Hi @nwang92, yes I can run docker pull splunk/splunk:latest fine; however, if I run something like

docker run -p 8000:8000 --name splunk -e "SPLUNK_PASSWORD=<password>" -e "SPLUNK_START_ARGS=--accept-license" -e 'SPLUNKBASE_USERNAME=<someusername>' -e 'SPLUNKBASE_PASSWORD=<somepassword>' -e 'SPLUNK_APPS_URL=http://splunkbase.splunk.com/app/1924/release/6.5.3/download/eventgen_653.tgz' -it splunk/splunk:latest

The particular piece I am referring to is the -e 'SPLUNK_APPS_URL=http://splunkbase.splunk.com/app/1924/release/6.5.3/download/eventgen_653.tgz'

If I run the docker command above without the SPLUNK_APPS_URL environment variable (which means I don't need the SPLUNKBASE stuff either), it works fine. If I try to add the SPLUNKBASE pieces along with the APPS_URL it fails to build.

tuckcodes commented 4 years ago

If I run the full docker run command above, with splunkbase and apps environment variables, I receive this build error. Also, note that by default I can't launch a vanilla splunk container, install the apps, and then do a docker commit. That also fails on build for some reason. In short, I am finding it hard to leverage modern tools like Gitlab or CICD in general with Splunk App development.

included: /opt/ansible/roles/splunk_common/tasks/install_apps.yml for localhost
Friday 23 October 2020  04:10:32 +0000 (0:00:00.075)       0:00:19.551 ******** 

TASK [splunk_standalone : Install Splunkbase app] ******************************
fatal: [localhost]: FAILED! => {
    "cache_control": "no-store, no-cache, must-revalidate, max-age=0", 
    "changed": false, 
    "connection": "Close", 
    "content": "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<response>\n  <messages>\n    <msg type=\"ERROR\">Argument \"mode\" is not supported by this handler.</msg>\n  </messages>\n</response>\n", 
    "content_length": "167", 
    "content_type": "text/xml; charset=UTF-8", 
    "date": "Fri, 23 Oct 2020 04:10:33 GMT", 
    "elapsed": 0, 
    "expires": "Thu, 26 Oct 1978 00:00:00 GMT", 
    "redirected": false, 
    "server": "Splunkd", 
    "status": 400, 
    "url": "https://127.0.0.1:8089/services/apps/local", 
    "vary": "Cookie, Authorization", 
    "x_content_type_options": "nosniff", 
    "x_frame_options": "SAMEORIGIN"
}

MSG:

Status code was 400 and not [200, 201]: HTTP Error 400: Bad Request

PLAY RECAP *********************************************************************
localhost                  : ok=65   changed=6    unreachable=0    failed=1    skipped=62   rescued=0    ignored=0   

Friday 23 October 2020  04:10:33 +0000 (0:00:00.232)       0:00:19.783 ******** 
=============================================================================== 
splunk_common : Start Splunk via CLI ------------------------------------ 4.47s
splunk_common : Trigger restart ----------------------------------------- 1.27s
splunk_common : Update Splunk directory owner --------------------------- 1.18s
splunk_common : Get Splunk status --------------------------------------- 1.11s
Gathering Facts --------------------------------------------------------- 1.01s
splunk_common : Update /opt/splunk/etc ---------------------------------- 0.55s
splunk_common : Test basic https endpoint ------------------------------- 0.44s
splunk_common : Generate user-seed.conf (Linux) ------------------------- 0.42s
splunk_common : Wait for splunkd management port ------------------------ 0.37s
splunk_common : Check for scloud ---------------------------------------- 0.34s
splunk_common : Hash the password --------------------------------------- 0.29s
splunk_common : Find manifests ------------------------------------------ 0.28s
splunk_common : Cleanup Splunk runtime files ---------------------------- 0.27s
splunk_standalone : Setup global HEC ------------------------------------ 0.27s
splunk_common : Get Splunk status --------------------------------------- 0.25s
splunk_standalone : Get existing HEC token ------------------------------ 0.24s
splunk_standalone : Install Splunkbase app ------------------------------ 0.23s
splunk_common : include_tasks ------------------------------------------- 0.22s
splunk_common : Check if /sbin/updateetc.sh exists ---------------------- 0.17s
Provision role ---------------------------------------------------------- 0.16s
splunkd.pid file is unreadable.
nwang92 commented 4 years ago

I tried the command using the other CLI you provided in another comment:

docker run -e SPLUNK_START_ARGS=--accept-license -e SPLUNK_PASSWORD='' -e SPLUNK_APPS_URL=https://splunkbase.splunk.com/app/978/release/1.1/download -e SPLUNKBASE_USERNAME= -e SPLUNKBASE_PASSWORD= -p 8000 splunk/splunk:latest

The above works for me, provided I supply the correct credentials. I haven't tried specifically with eventgen, but I'm able to successfully install the app.

This was a bug, but it should be fixed with the newest image. The reason I posted the image ID was just to confirm you're running the correct image - I tend not to fully trust latest :) you could also try splunk/splunk:8.1.0.

I'll look at the commit image problem, but that's probably a separate issue than this.