Getting Started with Podman: My First Splunk Test Lab

A few weeks ago, I stumbled upon a LinkedIn post that mentioned Podman as a drop-in replacement for Docker—daemonless, rootless, and open-source. I had heard about it before but never gave it much thought. This time, the post got my attention.

Disclaimer: I'm not a professional writer or seasoned blogger.
I mostly use Dev.to as a notebook or public library for my tech experiments.
That said—I genuinely hope you’ll find something useful here that helps you replicate, improve, or build your own version of this small Splunk lab with Podman.
If you have suggestions, I’m always open to learning more.

I'm working a lot with Splunk, and I often spin up quick labs to test different components like Indexers, Heavy Forwarders, and Search Heads. I figured—why not try doing this with Podman?

Here’s how I set up a basic Splunk architecture using Podman and podman-compose.

• Create the podman-compose.yml

**
I used a file nearly identical to what I’d write for Docker Compose, since podman-compose is compatible with the Compose Specification.
**

version: '3.8'

services:
  idx:
    image: docker.io/splunk/splunk:latest
    container_name: idx
    environment:
      - SPLUNK_START_ARGS=--accept-license
      - SPLUNK_PASSWORD=Splunk@00
      - SPLUNK_ROLE=splunk_indexer
      - SPLUNK_ENABLE_LISTEN=9997
    ports:
      - "8000:8000"
      - "9997:9997"
      - "8089:8089"
    networks:
      - splunk-net

  hf:
    image: docker.io/splunk/splunk:latest
    container_name: hf
    environment:
      - SPLUNK_START_ARGS=--accept-license
      - SPLUNK_PASSWORD=Splunk@00
      - SPLUNK_ROLE=splunk_heavy_forwarder
    ports:
      - "8001:8000"
    networks:
      - splunk-net
    depends_on:
      - idx

  sh:
    image: docker.io/splunk/splunk:latest
    container_name: sh
    environment:
      - SPLUNK_START_ARGS=--accept-license
      - SPLUNK_PASSWORD=Splunk@00
      - SPLUNK_ROLE=splunk_search_head
    ports:
      - "8003:8000"
    networks:
      - splunk-net
    depends_on:
      - idx

networks:
  splunk-net:
    driver: bridge

• Run It with podman-compose

podman-compose -f podman-compose.yml up -d

This brought up the three containers: idx, hf, and sh, running on the same network.

• Post-Startup Configuration

1. Search Head

podman exec -u splunk -it sh bash
/opt/splunk/bin/splunk add search-server idx:8089 -remoteUsername admin -remotePassword Splunk@00 -auth admin:Splunk@00
exit

1. Heavy Forwarder

podman exec -u splunk -it hf bash
/opt/splunk/bin/splunk add forward-server idx:9997 -auth admin:Splunk@00
exit

• Verify the Configuration
  Go to Splunk Web Access:

• On the Search Head, go to
  Settings > Distributed Search > Search Peers
  and verify that the indexer appears and is connected.

• On the Heavy Forwarder, check
  Settings > Forwarding and receiving > Forwarded Data
  to confirm that data is being forwarded to the indexer.

Honestly, I didn’t expect Podman to work this smoothly. The only real change I had to make was adding the full image path (docker.io/splunk/splunk) to avoid name resolution issues. Otherwise, the experience felt familiar and lightweight.