Deploying Splunk Enterprise using Docker and YAML

In this guide, we walk through the complete process of setting up a Splunk Enterprise server using a Docker container and a YAML file. From the initial deployment to performing the first login and verifying access to the web interface, you will learn how to efficiently get your Splunk instance up and running.

• Ubuntu 22
• Ubuntu 24

Copyright © 2018-2026 by Techexpert.tips.
All rights reserved. No part of this publication may be reproduced, distributed, or transmitted in any form or by any means without the prior written permission of the publisher.

Tutorial Docker - Install Splunk using Containers

Install the required packages.

Copy to Clipboard

Install Docker and Docker Compose.

Copy to Clipboard

Start the Docker service.

Copy to Clipboard

Enable the Docker service to start automatically.

Copy to Clipboard

Create the directory to store project files.

Copy to Clipboard

Create the YAML file containing the Splunk container settings.

Copy to Clipboard

Here is the Docker Compose file content.

Copy to Clipboard

version: '3.8'

services:
  splunk:
    image: splunk/splunk:latest
    container_name: splunk-server
    hostname: splunk-server
    restart: always
    environment:
      - SPLUNK_START_ARGS=--accept-license
      - SPLUNK_GENERAL_TERMS=--accept-sgt-current-at-splunk-com
      - SPLUNK_PASSWORD=Splunk.Secure.Pass.2026!
    ports:
      - "8000:8000"       # Splunk Web UI
      - "8088:8088"       # Splunk HTTP Event Collector (HEC)
      - "9997:9997"       # Indexing (Universal Forwarders)
      - "1514:1514/udp"   # Syslog port 01
      - "1518:1518/udp"   # Syslog port 02
      - "1519:1519/udp"   # Syslog port 03
      - "1520:1520/udp"   # Syslog port 04
      - "1516:1516/udp"   # Syslog port 05
      - "1517:1517/udp"   # Syslog port 06
      - "1521:1521/udp"   # Syslog port 07
      - "1522:1522/udp"   # Syslog port 08
    volumes:
      - splunk_etc:/opt/splunk/etc
      - splunk_var:/opt/splunk/var
    networks:
      - splunk-network

networks:
  splunk-network:
    driver: bridge

volumes:
  splunk_etc:
  splunk_var:

The Splunk administrator password is defined via environment variables. For this tutorial, we set a default password, but it is essential to use a strong, unique string to comply with Splunk's security requirements during the initial setup.

Copy to Clipboard

In our example, we define volumes to ensure data persistence. By mapping it, all configurations, logs, and indexed data are preserved even if the container is restarted or removed.

Copy to Clipboard

A dedicated bridge network is created to isolate the traffic. The splunk-network ensures that the Splunk container operates in a controlled environment, allowing for secure communication between services while keeping it separated from other Docker networks.

Copy to Clipboard

We also expose multiple ports to handle different data streams. In addition to the Web UI on port 8000, we configured several UDP ports to receive syslog data. This setup allows the server to act as a central log collector for various network devices.

Copy to Clipboard

Create the Splunk container using Docker Compose.

Copy to Clipboard

Here is the command output.

Copy to Clipboard

Wait a few minutes and check if the container is running.

Copy to Clipboard

Here is the command output.

Copy to Clipboard

Check if the container has finished loading.

Copy to Clipboard

Here is the command output.

Copy to Clipboard

===============================================================================
splunk_common : Start Splunk via CLI ----------------------------------- 31.57s
splunk_common : Update Splunk directory owner --------------------------- 3.67s
splunk_common : Test basic https endpoint ------------------------------- 3.31s
splunk_common : Get Splunk status --------------------------------------- 2.56s
Gathering Facts --------------------------------------------------------- 2.45s
splunk_common : Update /opt/splunk/etc ---------------------------------- 2.18s
splunk_standalone : Get existing HEC token ------------------------------ 1.82s
splunk_common : Check if requests_unixsocket exists --------------------- 1.60s
splunk_common : Wait for splunkd management port ------------------------ 1.41s
splunk_standalone : Check for required restarts ------------------------- 1.16s
splunk_standalone : Setup global HEC ------------------------------------ 1.10s
splunk_common : Generate user-seed.conf (Linux) ------------------------- 1.05s
Check for required restarts --------------------------------------------- 1.03s
splunk_common : Cleanup Splunk runtime files ---------------------------- 0.79s
splunk_common : Check if UDS file exists -------------------------------- 0.61s
splunk_common : Find manifests ------------------------------------------ 0.52s
splunk_common : Check for scloud ---------------------------------------- 0.50s
splunk_common : Hash the password --------------------------------------- 0.49s
splunk_common : Set mgmt port ------------------------------------------- 0.47s
splunk_common : Remove user-seed.conf ----------------------------------- 0.46s
===============================================================================

Ansible playbook complete, will begin streaming splunkd_stderr.log

Open your browser and access the web interface on port 8000.

Copy to Clipboard

Replace the IP address with the address of the computer running the container.

Log in to the Splunk web interface using the admin username and the password configured in the YAML file.

After a successful login, you will be redirected to the Splunk dashboard.

Congratulations! You have successfully installed Splunk in a Docker container.

Deploying Splunk Enterprise using Docker and YAML

Deploying Splunk Enterprise using Docker and YAML

Tutorial Docker - Install Splunk using Containers

Related Posts

Splunk - Installing Splunk Forwarder on Linux

Splunk Docker Installation on Ubuntu Linux