Deployment Architecture

How can I get a complete list of processes used by Splunk for Linux?

Contributor

I am using 6.2.1 on Linux and we need a list of all processes that are used by splunk. I could find below list for windows environment.

http://docs.splunk.com/Documentation/Splunk/6.2.1/ReleaseNotes/RunningSplunkalongsideWindowsantiviru...
Can anyone advise on how to get a complete list of processes used by splunk for linux ?

Tags (2)
1 Solution

Splunk Employee
Splunk Employee

I would recommend to build such a list by searching against Splunk's own introspection logs, like so:

  • List of process names, no arguments:

    index=_introspection component=PerProcess
    | stats count by data.process
    | fields - count

    • Full command lines (process + arguments):

    index=_introspection component=PerProcess
    | eval args = if(isnotnull('data.search_props.sid'),"search (...)",'data.args')
    | eval process = 'data.process'." ".args
    | stats count by process
    | fields - count

View solution in original post

Splunk Employee
Splunk Employee

I would recommend to build such a list by searching against Splunk's own introspection logs, like so:

  • List of process names, no arguments:

    index=_introspection component=PerProcess
    | stats count by data.process
    | fields - count

    • Full command lines (process + arguments):

    index=_introspection component=PerProcess
    | eval args = if(isnotnull('data.search_props.sid'),"search (...)",'data.args')
    | eval process = 'data.process'." ".args
    | stats count by process
    | fields - count

View solution in original post

Builder
[root@node1~]# ps -aux | grep splunk
Warning: bad syntax, perhaps a bogus '-'? See /usr/share/doc/procps-3.2.8/FAQ
root     15438  2.5  5.2 315288 107984 ?       Sl   Jan19 311:55 splunkd -p 8089 restart
root     15439  0.1  0.3  52736  7340 ?        Ss   Jan19  24:02 [splunkd pid=15438] splunkd -p 8089 restart [process-runner]
root     15446  0.9  1.8 275552 37200 ?        Ssl  Jan19 112:42 mongod --dbpath=/opt/splunk/var/lib/splunk/kvstore/mongo --port=8191 --timeStampFormat=iso8601-utc --smallfiles --oplogSize=1000 --keyFile=/opt/splunk/var/lib/splunk/kvstore/mongo/splunk.key --setParameter=enableLocalhostAuthBypass=0 --sslMode=preferSSL --sslPEMKeyFile=/opt/splunk/etc/auth/server.pem --sslPEMKeyPassword=xxxxxxxx
root     15508  0.5  5.5 977624 113976 ?       Ssl  Jan19  68:25 /opt/splunk/bin/python -O /opt/splunk/lib/python2.7/site-packages/splunk/appserver/mrsparkle/root.py --proxied=127.0.0.1,8065,8000
root     15522  0.1  1.3  77300 28568 ?        Ssl  Jan19  22:05 /opt/splunk/bin/splunkd instrument-resource-usage -p 8089
root     24325  0.0  0.0 103236   800 pts/0    S+   00:26   0:00 grep splunk

Contributor

aakwah,
Thank you very much for your reply.The problem of ps -aux is that I can not get the processes which are not constantly running like splunk-optimize. Any advise on how to get those kind of process too ?

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!