Dockerized Splunk Sandbox

I love to play around with Splunk and wanted a good tear-down build back kind of sandbox approach for app development. So I created a dockerized splunk sandbox and wanted to share with the community.

Its an extension of splunk’s docker image with a couple of additions

  1. A sample playground app placeholder which is mounted from your local filesystem to try new stuff.
  2. A pre-built hec input to test any other stuff like logging to splunk via HEC that you would like to try

Docker compose file looks like this:

version: "3"
services:
  splunk-sandbox:
    restart: on-failure
    image: splunk/splunk:latest
    ports:
      - "9000:8000"
      - "9088:8088"
    environment:
      - SPLUNK_START_ARGS=--accept-license
      - SPLUNK_PASSWORD=${PASS}
    volumes:
      - ./apps/playground:/opt/splunk/etc/apps/playground

All you need to get going is:

  • Download/Clone contents from GitHub @ https://github.com/fuzzmymind/splunk-sandbox
  • Cd to the root of the project
  • Create a .env file with a single line as such PASS=PASSWORD. Add your own password that you want to use.
  • type: docker-compose up --build
  • Navigate to localhost:9000 and login with admin:PASSWORD
  • Test your HEC payload by running a sample curl command as such: curl -k "https://localhost:9088/services/collector" -H "Authorization: Splunk 38d93df9-a411-45d7-ba39-f9dbc79d03c9" -d '{"event": "Hello, world!", "sourcetype": "manual"}'
  • You should also be able to see your placeholder app called Playground in the UI.

Now you can of course add the AppInspect app and Splunk Readiness app from splunkbase to the root folder and add additional volume mounts in the compose file to make it a little bit more convenient. I decided against pushing it out on GitHub because I was not sure if I should distribute it like that.

Happy Splunking!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s