Splunk officially supported installation platforms
Splunk Enterprise contains many settings that allow customers to tailor their Splunk environment. Because not all settings apply to all customers, Splunk will only support the most common subset of all configurations. Below is a list of supported platforms and base operating systems. Please check back periodically as our support matrix will expand over time.
Throughout this document, the term "Supported" means you can contact Splunk Support for assistance with issues.
In the following conditions, Splunk Support reserves the right to deem your installation in an unsupported state and not provide assistance when issues arise:
- You do not have an active support contract
- You are running Splunk Enterprise / Splunk Universal Forwarder in a container on a platform not officially supported by Splunk
- You are using features not officially supported by Splunk
Supported Operating Systems:
Linux kernel versions above 4.x.
Supported Docker Engine Versions:
- Docker Enterprise Engine 17.06.2 or later
- Docker Community Engine 17.06.2 or later
Note: Splunk Support does not provide assistance with the advanced usage of an operator such as the scale command. Splunk Support will only provide assistance with the functionality of running the container on the systems listed above, and cannot support setup and configuration of the a service level object to be used for docker-compose or kubectl. Please consult the Docker or Kubernetes documentation regarding best practices for building services.
Note: Splunk Support only provides support for the single instance Splunk Validated Architectures (S-Type). For all other configurations, please contact Splunk Professional Services.
All instances must be at or above the minimum server specifications found in the Splunk installation manual.
Additionally, the Docker container at this time is also limited to the following base installation chipsets:
Volumes used for persistence of the Splunk Enterprise data inside the Docker container must be one of the supported filesystems listed in the Splunk installation manual.
- Install the appropriate Docker Engine for your operating system
- If you intend for the containerized Splunk Enterprise deployment to be supported by your Enterprise Support Agreement, you must verify you meet all of the
above "supported" requirements. Failure to do so will render your deployment in an "unsupported" state.
Install Splunk Enterprise Docker container
Download the required image to your local Docker image library.
$ docker pull splunk/splunk:latest
Starting Splunk Enterprise Docker container
For a basic standalone Splunk environment, run the following command:
$ docker run -d -p 8000:8000 -e 'SPLUNK_START_ARGS=--accept-license' -e 'SPLUNK_PASSWORD=<password>' splunk/splunk:latest
Note: The password supplied must conform to the default Splunk Enterprise password requirements*
The output of Docker's run command will be a long hash of numbers and letters. These numbers and letters are the container id for your
Splunk Enterprise deployment. Use "docker ps" to get the status of the new deployment. For example:
docker ps -a -f id=9d790051bff3d8eb88da2d27b515140ff45f8f77a4bd57d6e5655d87cf3272fb
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 9d790051bff3 splunk-debian-9 "/sbin/entrypoint.sh…" 4 seconds ago Up 3 seconds (health: starting) 4001/tcp, 8065/tcp, 8088-8089/tcp, 8191/tcp, 9887/tcp, 9997/tcp, 0.0.0.0:8000->8000/tcp zen_hawking
Once the container has reached a "healthy" status, you can log in. The exposed port will be listed under the port section.
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 9d790051bff3 splunk-debian-9 "/sbin/entrypoint.sh…" 4 minutes ago Up 4 minutes (healthy) 4001/tcp, 8065/tcp, 8088-8089/tcp, 8191/tcp, 9887/tcp, 9997/tcp, 0.0.0.0:8000->8000/tcp zen_hawking
Ports with an IP address are container ports that can be accessed from external. Follow this link for more information on Splunk Enterprise's default ports.
4001/tcp, 8065/tcp, 8088-8089/tcp, 8191/tcp, 9887/tcp, 9997/tcp, 0.0.0.0:8000->8000/tcp <------- This is an exposed port accessible from external
In the above example, the port that is exposed is on the same port number which running inside the container. If port 8000 was occupied by another service on localhost, this port will instead be
exposed at a higher port number. By opening an Internet browser and travelling to the exposed address, such as
localhost:8000, you will be prompted with a login page.
Log in to your deployment with the Splunk credentials
admin and use the password you set during installation, or input from the SplunkUI.
Enterprise Applications (Splunk Enterprise Security and Splunk IT Service Intelligence)
- Installation of Splunk Enterprise Security (ES) and Splunk IT Service Intelligence (ITSI) are not supported in this version.
Please contact Splunk Services for more information on using these applications with Splunk Enterprise in a container.
Clusters and Other Advanced Deployments
For information about more advanced deployments including search head and indexer clusters, please see our advanced documentation.
Get help and support
If you have questions or need support, you can:
- Post a question to Splunk Answers
- Join the Splunk Slack channel
- Visit the #splunk channel on EFNet Internet Relay Chat
- Send an email to email@example.com
Please also see our troubleshooting documentation.