My notes and ramblings, normally about automation

Deploying Splunk Enterprise with Nomad

· Read in about 2 min · (314 Words)
Nomad Docker

I was recently asked to work on some integration pieces between Terraform and Splunk. Luckily, Splunk has a Docker container image that handles all the work of deploying a VM, updating it, installing Splunk, and performing the initial configurations.

Docker containers are an incredibly easy way to setup many types of environments. With a couple simple commands, a ready-to-use environment can been deployed. Normally, I’ve used containers to stand up consistent and repeatable development environments. The PowerShell, PowerCLI, Python, and even Terraform images have come in quite handy and allowed me to keep my local laptop semi-chaos free. Instead of having to manage the various different versions, builds, modules and all their dependencies, I transitioned to managing different Docker images and image files. Insert the need for a workload orchestrator!

I found Nomad to be one of the easiest methods of standing up a workload orchestrator, since it’s now available through most package managers. An example walkthrough of the install process is available on the HashiCorp Learn site

At that point, I just needed to create the job specification. The job spec loosely resembles that of a Docker image file with a mix of some Nomad configuration. The following configuration is what I found worked best for my purposes:

job "splunkEnt" {
  datacenters = [
  group "splunk" {
    count = 1
    task "splunk" {
        resources {
            cpu = 400
            memory = 2048
            network {
                port "web" {
                    static = 8000
                port "event" {
                    static = 8088
                port "mgmt" {
                    static = 8089
                port "data" {
                    static = 9997
      driver = "docker"
      env {
        SPLUNK_START_ARGS = "--accept-license"
        SPLUNK_PASSWORD   = "password"
      config {
        image = "splunk/splunk:latest"
        port_map {
          web = 8000
          event = 8088
          mgmt = 8089
          data = 9997

Here’s an example of what it looked like from the Nomad console: Nomad UI with Splunk Job Running