Notes and lab instructions for running Splunk in Kubernetes using splunk-operator.
Presented at OCD Splunk Pub #3 on 2021-10-08.
- Deploy a
Standalone
instance and service - Reconfigure the
Standalone
instance - Deploy an
IndexerCluster
- Reconfigure the
Standalone
to search theIndexerCluster
Instructions tested on Ubuntu 20.04 with microk8s installed using snap
.
- Follow official install instructions for microk8s
- Enable features:
microk8s enable dns storage
- Create a namespace for this lab:
microk8s kubectl create namespace splunkpub
- Install splunk-operator in the splunkpub namespace:
microk8s kubectl --namespace splunkpub apply -f https://github.com/splunk/splunk-operator/releases/download/1.0.2/splunk-operator-install.yaml
Run the commands like below, but not all at once!
Pause to view outputs of kubectl get
, check kubectl logs
, and monitor the status of Splunk before moving on to the next step. Also, check changes with kubectl diff
before applying.
-
Alias
kubectl
in your shell to microk8s and the namespace:alias kubectl="microk8s kubectl --namespace splunkpub"
-
Deploy a
Standalone
instance and service:kubectl apply -f kubernetes/standalone-v1.yml kubectl apply -f kubernetes/service.yml
The service manifest will map the Splunk web and REST ports like this:
- Standalone: 30800 to web, 30890 to REST
- Monitoring Console: 30801 to web, 30891 to REST
-
Get Splunk password from secret:
kubectl get secret splunk-s1-standalone-secret-v1 --template={{.data.password}} | base64 -d
-
Reconfigure the
Standalone
instance and deploy an app to it:kubectl apply -f kubernetes/standalone-v2.yml
-
Deploy an
IndexerCluster
with two peers:kubectl apply -f kubernetes/indexercluster.yml
-
Reconfigure the
Standalone
instance to search theIndexerCluster
:kubectl apply -f kubernetes/standalone-v3.yml