topic Re: check if splunk is installed on linux systems and the process name in Splunk Enterprise

check if splunk is installed on linux systems and the process name

LinkLoop — Fri, 22 Nov 2024 15:00:45 GMT

i need to run a script to check if a list of linux servers have splunk installed and the process name. any idea what the process name is or the installed directory? and if its forwarding to splunk console?

Re: check if splunk is installed on linux systems and the process name

richgalloway — Fri, 22 Nov 2024 16:47:46 GMT

The default installation directory for Splunk Enterprise is /opt/splunk and for the Universal Forwarder it's /opt/splunkforwarder. Both can be changed during installation so those are not 100% reliable.

The Splunk process name is 'splunkd'.

As for whether it is forwarding to Splunk, that's a bit trickier. You could issue a splunk list forward-server command, but you'd need execute access on the splunk binary and a Splunk account.

Another option is to use the splunk btool outputs list command to see if there is a server setting. There may be more than one, however, and zero or more may be in effect.

Consider using network tools to see if splunk has an open connection to port 9997 or 9998. That's a good test for forwarding.

Re: check if splunk is installed on linux systems and the process name

LinkLoop — Fri, 22 Nov 2024 16:58:46 GMT

would windows systems also listen or show connected on these ports?

port 9997 or 9998

Re: check if splunk is installed on linux systems and the process name

richgalloway — Fri, 22 Nov 2024 17:07:41 GMT

They should.

Re: check if splunk is installed on linux systems and the process name

LinkLoop — Wed, 15 Jan 2025 18:39:29 GMT

so if its forwarding, there should be a splunkd.log that is recent?

Re: check if splunk is installed on linux systems and the process name

isoutamo — Thu, 16 Jan 2025 07:13:17 GMT

Not exactly. If splunkd is running then it generates events into splunkd.log, but it’s not 100% indicator that it is forwarding also. But you could look events from that file which told this. Those are “connected/forwarding server 1.2.3.4:9997” or something similar (I cannot check correct lines now).

Is it possible that you look that information from server side? Just search those from _internal logs or even from MC?

Re: check if splunk is installed on linux systems and the process name

LinkLoop — Thu, 16 Jan 2025 14:57:45 GMT

i checked splunkd.log but did not find anything listed under connected or 9997

i did a netstat -an and cannot find any connections to 9997.

where else can i check on a windows system that logs are forwarding?