Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is there a way to automate splunk forwarder service restart on windows workstations as well as linux when they are down?

Roy_9
Motivator
‎03-30-2023 12:59 PM

Hello,

Can someone please help me with your inputs whenever the splunkd.exe and splunk-winevtlog.exe  goes down? looking to set up something automatically restart these services whenever they are down.

 

 

Thanks

Labels (2)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎03-31-2023 02:44 AM

Hi

In Windows there is standard options on service configuration where you can set what happening if service crashed or goes down. Just select restart and also how many times is can try that to avoid @gcusello notice that it's good to get reason for that instead of just restart it again and again.

On linux you should use systemd to start service and let it manage that as in windows. Here is one link where it has described. https://ma.ttias.be/auto-restart-crashed-service-systemd/

Anyhow if UF goes down regularly you must solve the reason for that.

r. Ismo

0 Karma
Reply

splunkreal
Motivator
‎03-31-2023 01:21 AM

Hello, you could schedule task to check status and restart with script : https://community.splunk.com/t5/Splunk-Search/Good-unix-way-check-if-splunkd-and-splunkweb-are-runni...

 

* If this helps, please upvote or accept solution if it solved *
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-30-2023 11:43 PM

Hi @Roy_9,

are you sure that an automatic restart is the best solution?

I'd like to be informed when an UF is doen so I'd be able to analyze why it went down, not to performa an automatic restart that probably will down again because there's an issue!

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...