While attending the second week of the two-week Splunk Certified Consultant 2 (SCC2) training program, I was fortunate enough to have a conversation with one of the other attendees. The nugget I gleaned from the conversation was about a project called Splunk n’ a Box, and it’s *free*.
As any curious consultant would, I had a look at it and all I can say is wow, what a cool idea. This article will discuss what Splunk n’ a Box is, where to get it and explore ways to use it.
What is Splunk n’ a Box?
What is it? Splunk n’ a Box is a 6000+ line bash script that one can use to provide an entire Splunk lab environment in a matter of minutes. It is deployed using Docker, a tool that easily creates, deploys, and runs an application by packaging up all the parts it needs and shipping them out as a single package. From a professional services point of view, this is awesome since I can create a Splunk lab environment to match most client production environments.
If you’ve never heard of Splunk n’ a Box you may be thinking “Yeah, right”…
It’s true! You can provision Search Head Clusters, Indexing Clusters, Splunk-to-Splunk instances, and pretty much any other kind of Splunk instance you can come up with – no $100k+ hardware price tag required…The environments can be run on a variety of platforms, Mac OSx, Windows 10, Linux (Ubuntu), and AWS EC2.
Here is a sample hardware scenario from the author of Splunk n’ a Box (Mohamad Hassan):
“I was able to create 80 hosts (4 site-2-site cluster 20IDX 3SH each) on a single Intel NUC Skull device (i7 32GB 1TB SSD). Load Avg shot to 20 during the build but went down to 6 once the cluster stabilized.”
By the way, A BIG thank you Mohamad!! This is awesome. A few clarifications:
1. What is an NUC?
Answer: Next Unit of Computing (NUC). NUC is a small-form-factor personal computer designed by Intel.
2. Can I install and run this on a USB stick?
Answer: You sure can! The directions to install on a USB drive are here.
What happens behind the scenes with Splunk n’ a Box?
Behind the scenes (very condensed synopsis, see the Splunk n’ a Box site for all the details):
No manual Splunk installation or manual clustering commands are needed to spin up these environments. One can spin up a Docker image running specific configurations by simply selecting a menu option.
The following table describes the build environments versus the typical number of commands to complete the task and the time to complete the build.
IDX: Indexer SH: Search Head DS: Deployment Server LM: License Master CM: Cluster Master DEP: Search Head Cluster Deployer HF: Heavy Forwarder UF: Universal Forwarder DMC: Distributed Management Console (Splunk 6.5 name changed to Monitoring Console)
Okay, I’m Going to Try This!!
My first time firing up the script was flawless. I now had an “All in One” Splunk instance in under 10 minutes from install to up and running.
This is great. I can now test any data ingestion, upgrade, or whatever scenario I require right on my own laptop. I can even share the environment if I install it on Linux (Ubuntu preferred), and on an AWS EC2 instance for a larger sustainable Lab for a classroom or a lunch and learn.
Ok, looks good so far…
Logged in and voila, I have a brand new Splunk test machine! Nice!
Cool! Now that the environment is up and running, I want to get to the underlying Splunk configurations in order to install Splunk technology add-ons (TAs), applications, custom parsing for log ingestion, etc.
Time to go play with my new toy! (and remember, it’s free)
SP6 is a Splunk consulting firm focused on Splunk professional services including Splunk deployment, ongoing Splunk administration, and Splunk development. SP6 has a separate division that also offers Splunk recruitment and the placement of Splunk professionals into direct-hire (FTE) roles for those companies that may require assistance with acquiring their own full-time staff, given the challenge that currently exists in the market today.