How to run Splunk Enterprise on Ubuntu ARM
Splunk Enterprise doesn’t ship ARM builds, which makes installation tricky on Apple Silicon systems running ARM‑based Linux VMs. If you try to install Splunk directly on Ubuntu ARM, you’ll hit architecture errors immediately. But there’s a clean workaround: run Splunk inside a Docker container using x86_64 emulation.
This guide walks through the exact steps needed to get Splunk Enterprise running smoothly on an Ubuntu 24.04 ARM virtual machine inside VMware Fusion on Apple Silicon.
Why This Setup Is Needed
Splunk Enterprise is x86_64 only
Ubuntu 24.04 ARM cannot run x86 binaries natively
Docker on ARM Linux does not include x86 emulation by default
We enable emulation using QEMU + binfmt
Then we run Splunk’s official x86_64 container with persistent volumes
Once configured, Splunk runs reliably and performs well enough for labs, testing, and learning.
1. Install Docker on Ubuntu 24.04 ARM
Docker runs natively on ARM, so installation is straightforward.
bash
sudo apt update
sudo apt install -y ca-certificates curl gnupg
sudo install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
sudo chmod a+r /etc/apt/keyrings/docker.gpg
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] \
https://download.docker.com/linux/ubuntu \
$(lsb_release -cs) stable" | \
sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt update
sudo apt install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
Enable Docker:
bash
sudo systemctl enable --now docker
(Optional) Allow your user to run Docker without sudo:
bash
sudo usermod -aG docker $USER
Log out and back in.
2. Enable x86_64 Emulation Using QEMU
Ubuntu ARM cannot run x86 containers until we install binfmt handlers.
The modern, maintained method is:
bash
sudo docker run --privileged --rm tonistiigi/binfmt --install all
This registers QEMU emulators for multiple architectures, including:
linux/amd64linux/amd64/v2qemu-x86_64
Once this step is complete, Docker can run x86_64 containers transparently.
3. Create Persistent Volumes for Splunk
Splunk stores configuration and indexed data under /opt/splunk/etc and /opt/splunk/var.
Using Docker volumes ensures data survives container restarts.
bash
docker volume create splunk-etc
docker volume create splunk-var
4. Run Splunk Enterprise (x86_64) with Persistence
This is the exact command that works reliably on Ubuntu ARM:
bash
docker run \
--platform linux/amd64 \
-p 8000:8000 \
-p 8089:8089 \
-p 9997:9997 \
-e SPLUNK_START_ARGS="--accept-license" \
-e SPLUNK_GENERAL_TERMS=--accept-sgt-current-at-splunk-com \
-e SPLUNK_PASSWORD="Changeme123!" \
-v splunk-etc:/opt/splunk/etc \
-v splunk-var:/opt/splunk/var \
--name splunk \
-d splunk/splunk:latest
A few important notes:
--platform linux/amd64forces x86_64 modeSPLUNK_GENERAL_TERMSis required for newer Splunk buildsThe password must meet Splunk’s complexity rules
5. Verify Splunk Is Running
Check logs:
bash
docker logs -f splunk
You should see Splunk initializing services and starting normally.
6. Access Splunk Web
Open your browser and go to:
Code
http://<your-ubuntu-vm-ip>:8000
Login:
Username: admin
Password: the one you set (e.g.,
Changeme123!)
You now have a fully functional Splunk Enterprise instance running on ARM hardware.
Final Thoughts
This setup is ideal for:
Learning Splunk
Building a home lab
Testing apps and dashboards
Forwarding logs from other systems
It avoids the limitations of ARM architecture by leveraging Docker’s ability to emulate x86_64. Once configured, the environment is stable and behaves just like a native Splunk installation.
