Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Universal Forwarder - Linux server - multiple proc...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi there,
maybe a simple question for the pros.
I have installed on different linux servers the UF to get logs and events.
I noticed on this servers that splunk is running with 40 processes (splunkd -p 8089 start) at the same time.
Is this a normal behavior?
Can a reduce the amount of running processes?
I'm using version 7.0.0 for the UF and the IDX.
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi mayurr98,
thanks for you response and the provided link.
But I think I found my mistake.
I was looking to the system processes via htop. htop shows to each process all associated threads. If I use ps -eHj I get also a process tree with child processes but whitout threads, and then I only see 3 processes.
So I have to apologize to wast your time with such a stupid question.
Sorry for that.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi mayurr98,
thanks for you response and the provided link.
But I think I found my mistake.
I was looking to the system processes via htop. htop shows to each process all associated threads. If I use ps -eHj I get also a process tree with child processes but whitout threads, and then I only see 3 processes.
So I have to apologize to wast your time with such a stupid question.
Sorry for that.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is no complete list, because it depends on both your version of Splunk, the various scripts you may have and the searches that are running. But here is most of it
splunkd - this is the "engine" that does most of the work. The first splunkd process is the parent of all the other running Splunk processes
in Splunk 6.2, a second copy of splunkd runs to manage the user interface
a third copy of splunkd may run to collect information about how Splunk uses system resources
mongod - not in earlier versions, but starting in 6.2, this process manages the mongo db that contains the KV store
python - Splunk may run a python process
Splunk will also launch processes as needed to run scripted inputs, alert scripts and searches. These will be subprocesses of splunkd. Earlier versions of Splunk ran a splunkweb process, but that is no longer true in version 6.2
I found this answer in this doc
Also, have a look at this doc
https://answers.splunk.com/answers/177506/how-many-splunk-processes-are-normal-on-a-linux-in.html
let me know if this helps!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
SplunkTrust Application Period is Officially OPEN!
