Deploying Splunk Enterprise with Nomad
I was recently asked to work on some integration pieces between Terraform and Splunk. Luckily, Splunk has a Docker container image that handles all the work of deploying a VM, updating it, installing Splunk, and performing the initial configurations.
Docker containers are an incredibly easy way to setup many types of environments. With a couple simple commands, a ready-to-use environment can been deployed. Normally, I’ve used containers to stand up consistent and repeatable development environments. The PowerShell, PowerCLI, Python, and even Terraform images have come in quite handy and allowed me to keep my local laptop semi-chaos free. Instead of having to manage the various different versions, builds, modules and all their dependencies, I transitioned to managing different Docker images and image files. Insert the need for a workload orchestrator!
I found Nomad to be one of the easiest methods of standing up a workload orchestrator, since it’s now available through most package managers. An example walkthrough of the install process is available on the HashiCorp Learn site
At that point, I just needed to create the job specification. The job spec loosely resembles that of a Docker image file with a mix of some Nomad configuration. The following configuration is what I found worked best for my purposes:
job "splunkEnt" {
datacenters = [
"dc1"
]
group "splunk" {
count = 1
task "splunk" {
resources {
cpu = 400
memory = 2048
network {
port "web" {
static = 8000
}
port "event" {
static = 8088
}
port "mgmt" {
static = 8089
}
port "data" {
static = 9997
}
}
}
driver = "docker"
env {
SPLUNK_START_ARGS = "--accept-license"
SPLUNK_PASSWORD = "password"
}
config {
image = "splunk/splunk:latest"
port_map {
web = 8000
event = 8088
mgmt = 8089
data = 9997
}
}
}
}
}
Here’s an example of what it looked like from the Nomad console: