I have splunk enterprise setup on a separate machine and I have an application running on another instance.
Now I am trying to start a docker with splunkforwarder image to forward my application logs to the splunk indexer.
This is the command I used:
sudo docker run -d --name uf1 --hostname uf1 -e "SPLUNK_PASSWORD=<>" -e "SPLUNK_START_ARGS=--accept-license" -e "SPLUNK_STANDALONE_URL=https://XX.XXX.X.XXX:8080" -e "SPLUNK_CMD='add monitor /var/log/hello/hello.log -index abc -host abc.host'" -it splunk/universalforwarder:latest
When I run above command, it keeps failing with this error:
FAILED - RETRYING: Execute Splunk commands (50 retries left).
Please help!
One of two things is likely happening. Either Splunk is failing to start successfully, or the "add monitor" command is being triggered before Splunk has started.
Try starting up your container without the commands, then exec into it and check the health Splunk. If no issues, execute your commands from the shell.
Alternatively, you can rebuild the image to include inputs.conf with the settings pre-populated.