commit f77427fea8c82fa374fb5f5da35c460667c09945
Author: bpmcdevitt <brendan@mcdevitt.tech>
Date:   Sat Jul 19 16:52:36 2025 -0500

    Initial commit: Add Docker Compose Splunk testing environment
    
    Set up complete local Splunk instance with:
    - Splunk Enterprise container with web UI and HEC
    - Optional Universal Forwarder for log forwarding
    - Persistent volumes for data and configuration
    - Development documentation and configuration files
    
    🤖 Generated with [Claude Code](https://claude.ai/code)
    
    Co-Authored-By: Claude <noreply@anthropic.com>

diff --git a/.env b/.env
new file mode 100644
index 0000000..8a7eec7
--- /dev/null
+++ b/.env
@@ -0,0 +1,6 @@
+# Splunk Configuration
+SPLUNK_PASSWORD=admin123
+SPLUNK_HEC_TOKEN=00000000-0000-0000-0000-000000000000
+
+# Container Configuration
+COMPOSE_PROJECT_NAME=splunk_local
\ No newline at end of file
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..01415c3
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,32 @@
+# Docker
+.env.local
+docker-compose.override.yml
+
+# Logs
+*.log
+logs/*.log
+
+# Splunk generated files
+*.idx
+*.dat
+*.tmp
+
+# OS generated files
+.DS_Store
+.DS_Store?
+._*
+.Spotlight-V100
+.Trashes
+ehthumbs.db
+Thumbs.db
+
+# IDE files
+.vscode/
+.idea/
+*.swp
+*.swo
+
+# Temporary files
+*.tmp
+*.bak
+*.backup
\ No newline at end of file
diff --git a/CLAUDE.md b/CLAUDE.md
new file mode 100644
index 0000000..214ca07
--- /dev/null
+++ b/CLAUDE.md
@@ -0,0 +1,58 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Project Overview
+
+This is a Docker Compose-based local Splunk testing environment. The setup includes:
+- Splunk Enterprise instance for testing and development
+- Optional Universal Forwarder for log forwarding scenarios
+- Persistent data volumes for configuration and data retention
+
+## Common Commands
+
+### Docker Operations
+- Start Splunk: `docker-compose up -d`
+- Start with forwarder: `docker-compose --profile forwarder up -d`
+- Stop services: `docker-compose down`
+- Reset all data: `docker-compose down -v`
+- View logs: `docker-compose logs splunk`
+- Access Splunk shell: `docker-compose exec splunk bash`
+
+### Splunk Access
+- Web UI: http://localhost:8000 (admin/admin123)
+- HEC endpoint: http://localhost:8088
+- Management API: http://localhost:8089
+
+## Architecture
+
+### Service Structure
+- **splunk**: Main Splunk Enterprise container
+- **splunk_forwarder**: Optional Universal Forwarder (profile: forwarder)
+
+### Key Directories
+- `config/`: Splunk configuration files mounted to container
+- `logs/`: Directory for sample logs to be forwarded
+- Docker volumes: `splunk_etc`, `splunk_var` for data persistence
+
+### Ports
+- 8000: Splunk Web UI
+- 8088: HTTP Event Collector (HEC)
+- 8089: Splunk Management Port
+- 9997: Splunk2Splunk forwarding
+- 514/udp: Syslog input
+
+## Configuration Files
+
+- `docker-compose.yml`: Main service definitions
+- `.env`: Environment variables (passwords, tokens)
+- `config/default.yml`: Splunk default configuration
+- Volume mounts allow for persistent configuration across container restarts
+
+## Testing Workflows
+
+The environment is designed for:
+- Testing Splunk apps and configurations
+- Log ingestion and forwarding scenarios
+- Search and dashboard development
+- API integration testing with HEC
\ No newline at end of file
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..f9622fa
--- /dev/null
+++ b/README.md
@@ -0,0 +1,53 @@
+# Splunk Local Testing Environment
+
+A Docker Compose setup for running a local Splunk instance for testing and development purposes.
+
+## Quick Start
+
+1. Start Splunk:
+   ```bash
+   docker-compose up -d
+   ```
+
+2. Access Splunk Web UI:
+   - URL: http://localhost:8000
+   - Username: admin
+   - Password: admin123
+
+3. Stop Splunk:
+   ```bash
+   docker-compose down
+   ```
+
+## Services
+
+### Splunk Enterprise
+- **Web UI**: http://localhost:8000
+- **HEC Endpoint**: http://localhost:8088
+- **Management Port**: 8089
+- **Splunk2Splunk**: 9997
+- **Syslog**: 514/udp
+
+### Universal Forwarder (Optional)
+To enable the Universal Forwarder for testing log forwarding:
+```bash
+docker-compose --profile forwarder up -d
+```
+
+## Configuration
+
+- Default credentials: admin/admin123
+- HEC Token: 00000000-0000-0000-0000-000000000000
+- Configuration files: `./config/`
+- Log directory: `./logs/`
+
+## Data Persistence
+
+Splunk data is persisted in Docker volumes:
+- `splunk_etc`: Splunk configuration
+- `splunk_var`: Splunk data and logs
+
+To reset all data:
+```bash
+docker-compose down -v
+```
\ No newline at end of file
diff --git a/config/default.yml b/config/default.yml
new file mode 100644
index 0000000..40778e9
--- /dev/null
+++ b/config/default.yml
@@ -0,0 +1,31 @@
+# Splunk default configuration
+# This file will be copied to /tmp/defaults in the container
+
+splunk:
+  conf:
+    user-seed:
+      content:
+        user_info:
+          USERNAME: admin
+          PASSWORD: admin123
+    
+    # Enable HEC by default
+    inputs:
+      content:
+        http:
+          disabled: 0
+          port: 8088
+          enableSSL: 0
+          
+    # Basic server configuration
+    server:
+      content:
+        general:
+          serverName: splunk_local
+          
+    # Web configuration
+    web:
+      content:
+        settings:
+          enableSplunkWebSSL: false
+          httpport: 8000
\ No newline at end of file
diff --git a/docker-compose.yml b/docker-compose.yml
new file mode 100644
index 0000000..120866b
--- /dev/null
+++ b/docker-compose.yml
@@ -0,0 +1,45 @@
+version: '3.8'
+
+services:
+  splunk:
+    image: splunk/splunk:latest
+    container_name: splunk_local
+    environment:
+      - SPLUNK_START_ARGS=--accept-license
+      - SPLUNK_PASSWORD=admin123
+      - SPLUNK_HEC_TOKEN=00000000-0000-0000-0000-000000000000
+    ports:
+      - "8000:8000"   # Splunk Web UI
+      - "8088:8088"   # HTTP Event Collector (HEC)
+      - "9997:9997"   # Splunk2Splunk
+      - "8089:8089"   # Splunk Management Port
+      - "514:514/udp" # Syslog
+    volumes:
+      - splunk_etc:/opt/splunk/etc
+      - splunk_var:/opt/splunk/var
+      - ./config:/tmp/defaults
+    restart: unless-stopped
+
+  # Optional: Universal Forwarder for testing log forwarding
+  splunk_forwarder:
+    image: splunk/universalforwarder:latest
+    container_name: splunk_forwarder
+    environment:
+      - SPLUNK_START_ARGS=--accept-license
+      - SPLUNK_PASSWORD=admin123
+      - SPLUNK_FORWARD_SERVER=splunk:9997
+    volumes:
+      - ./logs:/var/log/app
+      - splunk_uf_etc:/opt/splunkforwarder/etc
+      - splunk_uf_var:/opt/splunkforwarder/var
+    depends_on:
+      - splunk
+    restart: unless-stopped
+    profiles:
+      - forwarder
+
+volumes:
+  splunk_etc:
+  splunk_var:
+  splunk_uf_etc:
+  splunk_uf_var:
\ No newline at end of file