Deployment Architecture

How can I get a complete list of processes used by Splunk for Linux?

cwl
Contributor

I am using 6.2.1 on Linux and we need a list of all processes that are used by splunk. I could find below list for windows environment.

http://docs.splunk.com/Documentation/Splunk/6.2.1/ReleaseNotes/RunningSplunkalongsideWindowsantiviru...
Can anyone advise on how to get a complete list of processes used by splunk for linux ?

Tags (2)
1 Solution

hexx
Splunk Employee
Splunk Employee

I would recommend to build such a list by searching against Splunk's own introspection logs, like so:

  • List of process names, no arguments:

    index=_introspection component=PerProcess
    | stats count by data.process
    | fields - count

    • Full command lines (process + arguments):

    index=_introspection component=PerProcess
    | eval args = if(isnotnull('data.search_props.sid'),"search (...)",'data.args')
    | eval process = 'data.process'." ".args
    | stats count by process
    | fields - count

View solution in original post

hexx
Splunk Employee
Splunk Employee

I would recommend to build such a list by searching against Splunk's own introspection logs, like so:

  • List of process names, no arguments:

    index=_introspection component=PerProcess
    | stats count by data.process
    | fields - count

    • Full command lines (process + arguments):

    index=_introspection component=PerProcess
    | eval args = if(isnotnull('data.search_props.sid'),"search (...)",'data.args')
    | eval process = 'data.process'." ".args
    | stats count by process
    | fields - count

aakwah
Builder
[root@node1~]# ps -aux | grep splunk
Warning: bad syntax, perhaps a bogus '-'? See /usr/share/doc/procps-3.2.8/FAQ
root     15438  2.5  5.2 315288 107984 ?       Sl   Jan19 311:55 splunkd -p 8089 restart
root     15439  0.1  0.3  52736  7340 ?        Ss   Jan19  24:02 [splunkd pid=15438] splunkd -p 8089 restart [process-runner]
root     15446  0.9  1.8 275552 37200 ?        Ssl  Jan19 112:42 mongod --dbpath=/opt/splunk/var/lib/splunk/kvstore/mongo --port=8191 --timeStampFormat=iso8601-utc --smallfiles --oplogSize=1000 --keyFile=/opt/splunk/var/lib/splunk/kvstore/mongo/splunk.key --setParameter=enableLocalhostAuthBypass=0 --sslMode=preferSSL --sslPEMKeyFile=/opt/splunk/etc/auth/server.pem --sslPEMKeyPassword=xxxxxxxx
root     15508  0.5  5.5 977624 113976 ?       Ssl  Jan19  68:25 /opt/splunk/bin/python -O /opt/splunk/lib/python2.7/site-packages/splunk/appserver/mrsparkle/root.py --proxied=127.0.0.1,8065,8000
root     15522  0.1  1.3  77300 28568 ?        Ssl  Jan19  22:05 /opt/splunk/bin/splunkd instrument-resource-usage -p 8089
root     24325  0.0  0.0 103236   800 pts/0    S+   00:26   0:00 grep splunk

cwl
Contributor

aakwah,
Thank you very much for your reply.The problem of ps -aux is that I can not get the processes which are not constantly running like splunk-optimize. Any advise on how to get those kind of process too ?

0 Karma
Get Updates on the Splunk Community!

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...