i found the files.. just looked at the wrong place:)

looks like it is configured as expected but still im not sure splunk is recovered well after crushing

stopping splunk manually is a good way to check if its automatically restarts?
if yes then im sure it is not working 🙂

Both commands apply only to configuring Splunk to start after a reboot, not a crash.

oh, ok.
how can i auto start splunk after crush ?

It should come preconfigured to do so, but you can add Restart=always to the splunk unit file.

Example:

[Unit] Description=Systemd service
file for Splunk, generated by 'splunk
enable boot-start'
After=network.target

[Service] Type=simple Restart=always

Then reload the config:

systemctl daemon-reload

it is already conifgured
how can i validate it is working ?

Find the PID of your splunk daemon:

ps -ef |grep -i splunk

Then kill that process:

kill -9 pid_of_splunk_daemon

Wait a few seconds then re-run the ps command to verify it comes back up:

ps -ef |grep -i splunk

Note that if you really want to test this, it should be on a DEV or non-critical box.

thanks !
Splunk system is not production yet but just to be on the safe side - something bad can happen if i will kill the process ?

Nothing bad will happen, it is just not a graceful way to bring down a process. So I was adding my disclaimer, just in case 🙂

thank you very much !

Glad to help.