docker splunk forwarder

Dockerfile

FROM ubuntu:trusty

# make the "en_US.UTF-8" locale so splunk will be utf-8 enabled by default
RUN apt-get update && apt-get install -y locales wget \
    && localedef -i en_US -c -f UTF-8 -A /usr/share/locale/locale.alias en_US.UTF-8

#Install Splunk
RUN wget -qO splunkforwarder.deb http://download.splunk.com/releases/6.2.3/universalforwarder/linux/splunkforwarder-6.2.3-264376-linux-2.6-amd64.deb -o splunkforwarder.deb \
    && dpkg -i splunkforwarder.deb \
    && rm splunkforwarder.deb

EXPOSE 8089/tcp 1514 8088/tcp

COPY ./splunk-entrypoint.sh /
RUN chmod +x /splunk-entrypoint.sh

ENTRYPOINT ["/splunk-entrypoint.sh"]
CMD ["start-monitor"]

splunk-entrypoint.sh

#!/bin/bash
set -e

if [ "$1" = 'start-monitor' ]; then
  if [ -f /opt/splunkforwarder/bin/splunk ]; then
    # Start Client
    if [ ! -f /etc/init.d/splunk ]; then
      /opt/splunkforwarder/bin/splunk start --answer-yes --no-prompt --accept-license
      /opt/splunkforwarder/bin/splunk enable boot-start
      trap "/opt/splunkforwarder/bin/splunk stop" SIGINT SIGTERM EXIT
    fi

    # Add Forward Address
    if [ ! -f /root/splunk_client.rc ]; then
      /opt/splunkforwarder/bin/splunk add forward-server my.splunkserver.com:9997 \
        -auth admin:changeme
      echo "Forwarder Added" > /root/splunk_client.rc
    fi

    # Add monitors
    for dir in /logs/* ; do
        dir=${dir%*/}
        dir=${dir##*/}
        if [ -d /logs/${dir} ]; then
          if [[ ! $(/opt/splunkforwarder/bin/splunk list monitor -auth admin:changeme | grep /logs/${dir}) ]]; then
            /opt/splunkforwarder/bin/splunk add monitor /logs/${dir}/ \
              -index ${dir} -sourcetype service_logs \
              -auth admin:changeme
          fi
        fi
    done

    tail -n 0 -f /opt/splunkforwarder/var/log/splunk/splunkd_stderr.log &
    wait
  fi
else
  "$@"
fi