Splunk Search

How to use docker Splunk forwarder image to forward logs to an external Splunk enterprise?

cmittal
New Member

I have splunk enterprise setup on a separate machine and I have an application running on another instance.
Now I am trying to start a docker with splunkforwarder image to forward my application logs to the splunk indexer.
This is the command I used:

sudo docker run -d --name uf1 --hostname uf1  -e "SPLUNK_PASSWORD=<>" -e "SPLUNK_START_ARGS=--accept-license" -e "SPLUNK_STANDALONE_URL=https://XX.XXX.X.XXX:8080" -e "SPLUNK_CMD='add monitor /var/log/hello/hello.log -index abc -host abc.host'"  -it splunk/universalforwarder:latest

When I run above command, it keeps failing with this error:
FAILED - RETRYING: Execute Splunk commands (50 retries left).
Please help!

0 Karma

codebuilder
SplunkTrust
SplunkTrust

One of two things is likely happening. Either Splunk is failing to start successfully, or the "add monitor" command is being triggered before Splunk has started.

Try starting up your container without the commands, then exec into it and check the health Splunk. If no issues, execute your commands from the shell.

Alternatively, you can rebuild the image to include inputs.conf with the settings pre-populated.

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...