Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Getting ERROR while Creating splunk UNIVERSAL FORWARDER using alpine base image

vrathore2016
New Member
‎11-14-2018 11:46 AM

I am trying to create a Splunk universal forwarder image using alpine:3.8 base image.

FROM alpine:3.8

ENV VERSION 6.3.1
ENV BUILD f3e41e4b37b2
ENV SPLUNK_USER=root
ENV SPLUNK_GROUP=root
ENV VERSION 6.3.1
ENV BUILD f3e41e4b37b2
ENV SPLUNK_OUTPUT_SERVER=test:9997
ENV SPLUNK_HOME=/opt/splunkforwarder/

RUN mkdir -p /opt

COPY ./config /tmp/splunk

RUN apk add curl \
    && curl http://download.splunk.com/products/splunk/releases/${VERSION}/universalforwarder/linux/splunkforwar... | tar xvz -C /opt

WORKDIR /opt/splunkforwarder/

# Splunk management port
EXPOSE 8089

# Network Input
EXPOSE 514

VOLUME [ "/opt/splunkforwarder/etc", "/opt/splunkforwarder/var" ]

COPY ./patch-entrypoint.sh /sbin/entrypoint.sh

CMD ["/opt/splunkforwarder/bin/splunk", "start", "--accept-license", "--answer-yes", "--no-prompt", "--nodaemon"]

Now I am facing a couple of issues here:

When I am running /opt/splunkforwarder/bin/splunk start --accept-license I am getting /opt/splunkforwarder/bin/splunk: not found.
I am using custom output.conf file. It's in config folder.

[tcpout]
defaultGroup = abc
disabled = false

[tcpout:abc]
server = _OUTPUT_SERVERS_
autoLB = true
compressed = false
useACK = true
sendCookedData = true

entrypoint.sh is the script which I am using to replace the environment variable from output.config and restart the splunk but again restart is not working.

please help me to fix this.

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎11-14-2018 06:28 PM

Alpine the linux distribution?

Also, are you trying to install Splunk UF version 6.3.1? I heartily recommend using a newer version. Is 6.3.1 even supported any more?

So, after your ... "thing" that you are doing you are getting a "/opt/splunkforwarder/bin/splunk" not found. So, have you looked at your filesystem and seen where it really is? Is it where it's supposed to be, or missing?

If it's not there, then obviously something in your automation is not working right - debug your automation, I don't think there's a Splunk problem.

If it IS there, then check permissions, ownership, executability - all those things that you'd check if you were sitting at the console trying to run it and it said "not found". This may or may not be a Splunk problem, but likely is a problem with your chosen Linux distribution (being, if I looked it up right, a "security oriented, lightweight distribution" immediately indicates to me that "your stuff may or may not work, because we may have locked it down too tight or we might have not included critical libraries your app needs".

I do agree nothing I see in the config seems to be obviously off assuming "tar xvz -C /opt" actually extracts to /opt (I always just cd /opt, then tar xzv in there.)

Also, it may or may not matter in this case, but the uid/gid of the directories created after extracting are 506, so you may need to chown them to root?

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...