https://community.splunk.com/t5/Deployment-Architecture/UNIX-Process-Monitoring-Template/m-p/27518#M679 <P>Do you know about the Unix App?<BR /> If you do some research and have a look at this app you will notice that it grabs process information using the TOP command around every 60 seconds. Using a search then you can have splunk notify you if this process is not running.</P> <P>Something like: </P> <PRE><CODE>index="os" source="top" myprocess earliest=-2min latest=-1min </CODE></PRE> <P>and have it run every every minute. Then you can save this search with the condition that if it returns less then 1 result, it should email you an alert.</P> <P>So if myprocess is dead, then splunk should notify you of it, unless of course its a stale process that shows up in top even when it is not running...</P> Tue, 18 Jan 2011 03:58:01 GMT Genti 2011-01-18T03:58:01Z https://community.splunk.com/t5/Deployment-Architecture/UNIX-Process-Monitoring-Template/m-p/27516#M677 <P>Anybody in Splunk answers tried to register process to monitor for Unix systems?</P> <P>I am trying to set-up Splunk to monitor running status of a process. When a process dies, meaning no longer exists, then I want splunk to generate an event that the process no longer is running in a system.</P> <P>It sounds pretty simple, but my delima is that when I search for a process, for example httpd. When the httpd is running then, it would give me a result to verify that the process is there, but when the process no longer exists, splunk will fail searching for that process event. Based on the result that failed to search a process event, how can I make that situation into an event?</P> <P>I would appreciate it if anyone has simular monitoring template that mointors certain proceses' status.</P> Tue, 18 Jan 2011 01:43:08 GMT https://community.splunk.com/t5/Deployment-Architecture/UNIX-Process-Monitoring-Template/m-p/27516#M677 clyde772 2011-01-18T01:43:08Z https://community.splunk.com/t5/Deployment-Architecture/UNIX-Process-Monitoring-Template/m-p/27517#M678 <P>The default Unix app already contains a scripted input that runs <CODE>ps</CODE>. That should get you most of the way, but there are several different ways you might construct the search.</P> <P>Here's one approach, which will generate a new field <CODE>is_running</CODE>:</P> <PRE><CODE>index=os sourcetype=ps | head 1 | eval is_running=if(match(_raw, "\shttpd\b"), 1, 0) </CODE></PRE> <P><CODE>head 1</CODE> will retrieve only the latest polling cycle, giving you the "current" status. If you want to do things like charting status over time, leave that bit out. Using 1 or 0 makes charting easier, but you can also replace them with text values like <CODE>"Running"</CODE> or <CODE>"Not Running"</CODE>, etc.</P> Tue, 18 Jan 2011 03:54:59 GMT https://community.splunk.com/t5/Deployment-Architecture/UNIX-Process-Monitoring-Template/m-p/27517#M678 southeringtonp 2011-01-18T03:54:59Z https://community.splunk.com/t5/Deployment-Architecture/UNIX-Process-Monitoring-Template/m-p/27518#M679 <P>Do you know about the Unix App?<BR /> If you do some research and have a look at this app you will notice that it grabs process information using the TOP command around every 60 seconds. Using a search then you can have splunk notify you if this process is not running.</P> <P>Something like: </P> <PRE><CODE>index="os" source="top" myprocess earliest=-2min latest=-1min </CODE></PRE> <P>and have it run every every minute. Then you can save this search with the condition that if it returns less then 1 result, it should email you an alert.</P> <P>So if myprocess is dead, then splunk should notify you of it, unless of course its a stale process that shows up in top even when it is not running...</P> Tue, 18 Jan 2011 03:58:01 GMT https://community.splunk.com/t5/Deployment-Architecture/UNIX-Process-Monitoring-Template/m-p/27518#M679 Genti 2011-01-18T03:58:01Z