While attending the second week of the two-week Splunk Certified Consultant 2 (SCC2) training program, I was fortunate enough to have a conversation with one of the other attendees. The nugget I gleaned from the conversation was about a project called Splunk n’ a Box, and it’s *free*.
As any curious consultant would, I had a look at it and all I can say is wow, what a cool idea. This article will discuss what Splunk n’ a Box is, where to get it, and explore ways to use it.
What is Splunk n’ a Box?
What is it? Splunk n’ a Box is a 6000+ line bash script that one can use to provision an entire Splunk lab environment in a matter of minutes. It is deployed using Docker, a tool that easily creates, deploys, and runs an application by packaging up all the parts it needs and shipping them out as a single package. From a professional services point of view, this is awesome since I can create a Splunk lab environment to match most client production environments.
If you’ve never heard of Splunk n’ a Box you may be thinking “Yeah, right”…
It’s true! You can provision Search Head Clusters, Indexing Clusters, Splunk-to-Splunk instances, and pretty much any other kind of Splunk instance you can come up with – no $100k+ hardware price tag required…The environments can be run on a variety of platforms, Mac OSx, Windows 10, Linux (Ubuntu), and AWS EC2.
Here is a sample hardware scenario from the author of Splunk n’ a Box (Mohamad Hassan):
“I was able to create 80 hosts (4 site-2-site cluster 20IDX 3SH each) on a single Intel NUC Skull device (i7 32GB 1TB SSD). Load Avg shot to 20 during the build but went down to 6 once the cluster stabilized.”
By the way, A BIG thank you Mohamad!! This is awesome. A few clarifications:
1. What is an NUC?
Answer: Next Unit of Computing (NUC). NUC is a small-form-factor personal computer designed by Intel.
2. Can I install and run this on a USB stick?
Answer: You sure can! The directions to install on a USB drive are here.
What happens behind the scenes with Splunk n’ a Box?
Behind the scenes (very condensed synopsis, see the Splunk n’ a Box site for all the details):
No manual Splunk installation or manual clustering commands are needed to spin up these environments. One can spin up a Docker image running specific configurations by simply selecting a menu option.
The following table describes the build environments versus the typical number of commands to complete the task and the time to complete the build.
SH: Search Head
DS: Deployment Server
LM: License Master
CM: Cluster Master
DEP: Search Head Cluster Deployer
HF: Heavy Forwarder
UF: Universal Forwarder
DMC: Distributed Management Console (Splunk 6.5 name changed to Monitoring Console)
Okay, I’m Going to Try This!!
My first time firing up the script was flawless. I now had an “All in One” Splunk instance in under 10 minutes from install to up and running.
This is great. I can now test any data ingestion, upgrade, or whatever scenario I require right on my own laptop. I can even share the environment if I install on Linux (Ubuntu preferred), and on an AWS EC2 instance for a larger sustainable Lab for a classroom or a lunch and learn.
Ok, looks good so far…
Logged in and voila, I have a brand new Splunk test machine! Nice!
Cool! Now that the environment is up and running, I want to get to the underlying Splunk configurations in order to install Splunk technology add-ons (TAs), applications, custom parsing for log ingestion, etc.
Time to go play with my new toy! (and remember, it’s free)
Aditum’s Splunk Professional Services consultants can assist your team with best practices to optimize your Splunk deployment and get more from Splunk.
Our certified Splunk Architects and Splunk Consultants manage successful Splunk deployments, environment upgrades and scaling, dashboard, search, and report creation, and Splunk Health Checks. Aditum also has a team of accomplished Splunk Developers that focus on building Splunk apps and technical add-ons.
Contact us directly to learn more.