Notes and lab instructions for running Splunk in Kubernetes using splunk-operator.
Presented at OCD Splunk Pub #3 on 2021-10-08.
- Deploy a
Standaloneinstance and service - Reconfigure the
Standaloneinstance - Deploy an
IndexerCluster - Reconfigure the
Standaloneto search theIndexerCluster
Instructions tested on Ubuntu 20.04 with microk8s installed using snap.
- Follow official install instructions for microk8s
- Enable features:
microk8s enable dns storage - Create a namespace for this lab:
microk8s kubectl create namespace splunkpub
- Install splunk-operator in the splunkpub namespace:
microk8s kubectl --namespace splunkpub apply -f https://github.com/splunk/splunk-operator/releases/download/1.0.2/splunk-operator-install.yaml
Run the commands like below, but not all at once!
Pause to view outputs of kubectl get, check kubectl logs, and monitor the status of Splunk before moving on to the next step. Also, check changes with kubectl diff before applying.
-
Alias
kubectlin your shell to microk8s and the namespace:alias kubectl="microk8s kubectl --namespace splunkpub" -
Deploy a
Standaloneinstance and service:kubectl apply -f kubernetes/standalone-v1.yml kubectl apply -f kubernetes/service.ymlThe service manifest will map the Splunk web and REST ports like this:
- Standalone: 30800 to web, 30890 to REST
- Monitoring Console: 30801 to web, 30891 to REST
-
Get Splunk password from secret:
kubectl get secret splunk-s1-standalone-secret-v1 --template={{.data.password}} | base64 -d -
Reconfigure the
Standaloneinstance and deploy an app to it:kubectl apply -f kubernetes/standalone-v2.yml -
Deploy an
IndexerClusterwith two peers:kubectl apply -f kubernetes/indexercluster.yml -
Reconfigure the
Standaloneinstance to search theIndexerCluster:kubectl apply -f kubernetes/standalone-v3.yml