BoredHackerBlog/docker-compose.yml

## docker-compose.yml
version: "3.6"

services:
  so1:
    image: splunk/splunk:latest
    container_name: so1
    environment:
      - SPLUNK_START_ARGS=--accept-license
      - SPLUNK_PASSWORD=password
      - SPLUNK_LICENSE_URI=Free
      - SPLUNK_HEC_TOKEN=abcd1234
    ports:
      - 8000:8000
      - 8088:8088
    volumes:
      - ./var:/opt/splunk/var #var and etc can be zipped and backed up
      - ./etc:/opt/splunk/etc

## vector.toml
[sources.events]
type = "file"
include = [ "/home/research/bulk_events.json" ]
data_dir = "/tmp/vector/"
read_from = "beginning"

[transforms.events_json]
type = "remap"
inputs = [ "events" ]
source = ". = parse_json!(.message)"

[sinks.splunk]
type = "splunk_hec_logs"
inputs = [ "events_json" ]
endpoint = "https://10.0.0.2:8088"
default_token = "abcd1234"
index = "win"
sourcetype = "mitre"
tls.verify_certificate=false
encoding.codec = "json"
	version: "3.6"

	services:
	so1:
	image: splunk/splunk:latest
	container_name: so1
	environment:
	- SPLUNK_START_ARGS=--accept-license
	- SPLUNK_PASSWORD=password
	- SPLUNK_LICENSE_URI=Free
	- SPLUNK_HEC_TOKEN=abcd1234
	ports:
	- 8000:8000
	- 8088:8088
	volumes:
	- ./var:/opt/splunk/var #var and etc can be zipped and backed up
	- ./etc:/opt/splunk/etc
	[sources.events]
	type = "file"
	include = [ "/home/research/bulk_events.json" ]
	data_dir = "/tmp/vector/"
	read_from = "beginning"

	[transforms.events_json]
	type = "remap"
	inputs = [ "events" ]
	source = ". = parse_json!(.message)"

	[sinks.splunk]
	type = "splunk_hec_logs"
	inputs = [ "events_json" ]
	endpoint = "https://10.0.0.2:8088"
	default_token = "abcd1234"
	index = "win"
	sourcetype = "mitre"
	tls.verify_certificate=false
	encoding.codec = "json"