Splunk officially supported installation platforms

Splunk Enterprise contains many settings that allow customers to tailor their Splunk environment. Because not all settings apply to all customers, Splunk will only support the most common subset of all configurations. Below is a list of supported platforms and base operating systems. Please check back periodically as our support matrix will expand over time. Throughout this document, the term "Supported" means you can contact Splunk Support for assistance with issues. In the following conditions, Splunk Support reserves the right to deem your installation in an unsupported state and not provide assistance when issues arise:

You do not have an active support contract
You are running Splunk Enterprise / Splunk Universal Forwarder in a container on a platform not officially supported by Splunk
You are using features not officially supported by Splunk

In the event you fall into an unsupported state, you may find support on Splunk Answers, or through the open source communities found on GitHub for Splunk-Ansible or GitHub for Splunk-Docker.

Supported Operating Systems:

Linux kernel versions above 4.x.

Supported Docker Engine Versions:

Docker Enterprise Engine 17.06.2 or later
Docker Community Engine 17.06.2 or later

** Note: ** Splunk Support does not provide assistance with the advanced usage of an operator such as the scale command. Splunk Support will only provide assistance with the functionality of running the container on the systems listed above, and cannot support setup and configuration of the a service level object to be used for docker-compose or kubectl. Please consult the Docker or Kubernetes documentation regarding best practices for building services.

Note: Splunk Support only provides support for the single instance Splunk Validated Architectures (S-Type), Universal Forwarders and Heavy Forwarders. For all other configurations, please contact Splunk Professional Services.

Required Hardware

All instances must be at or above the minimum server specifications found in the Splunk installation manual. Additionally, the Docker container at this time is also limited to the following base installation chipsets:

x86-64
s390x (Universal Forwarder only)

Volumes used for persistence of the Splunk Enterprise data inside the Docker container must be one of the supported filesystems listed in the Splunk installation manual.

Prerequisites

Install the appropriate Docker Engine for your operating system
If you intend for the containerized Splunk Enterprise deployment to be supported by your Enterprise Support Agreement, you must verify you meet all of the above "supported" requirements. Failure to do so will render your deployment in an "unsupported" state.

Install Splunk Universal Forwarder Docker container

Download the required image to your local Docker image library.

$ docker pull store/splunk/universalforwarder:7.3

Starting Splunk Universal Forwarder Docker container

The Splunk Universal Forwarder is started in a similar way to Splunk Enterprise

$ docker run -d  -p 9997:9997 -e 'SPLUNK_START_ARGS=--accept-license' -e 'SPLUNK_PASSWORD=<password>'store/splunk/universalforwarder:7.3

The Splunk Universal Forwarder however does not have a GUI, so you will not be able to access it through a web interface. Instead, you can access the container directly by using the docker exec command. After the container is in a "healthy" state, run the following:

docker exec -it <container-id> /bin/bash

splunk@<container-id>:/$

You are now logged into the container as the splunk user. Please see the Configure the Universal Forwarder in the Splunk Forwarder Manual for more information on configuring the Splunk Universal Forwarder.

Get help and support

If you have questions or need support, you can:

Post a question to Splunk Answers
Join the Splunk Slack channel
Visit the #splunk channel on EFNet Internet Relay Chat
Send an email to docker-maint@splunk.com

Please also see our troubleshooting documentation.