Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How many Splunk processes are normal on a Linux indexer?

daniel_hanft
Explorer
‎10-22-2014 05:32 AM

Hi Splunk Community,

how many splunk processes are normal on a Linux Indexer? I've observed sometimes there are up to 37 processes on one system (when using the command: # ps uax | grep splunk).
Can someone tell me a good threshold value we can configure in our system monitoring tool for alerting?

Many thanks in advance.

Daniel

Reply
1 Solution
Solved! Jump to solution
Solution

jeremiahc4
Builder
‎10-22-2014 08:01 AM

That number depends on how many searches you may be running. I seem to only have 2 splunkd processes running which aren't specific searches. Occasionally I'll see another pop up when rolling buckets for instance. Try this command to narrow the field unless you are interested in how many searches are in process.

 ps uax | grep splunkd | grep -v grep | grep -v search

View solution in original post

Reply
Solved! Jump to solution

sowings
Splunk Employee
Splunk Employee
‎10-22-2014 09:29 AM

Typically there's one monolithic splunkd process, then two for each running search (a helper and the actual searcher). These may show "rt" in the search name if they are real time searches. Additionally, as @jeremiahc4 points out, other maintenance processes may start up additional copies of splunkd.

Reply
Solved! Jump to solution
Solution

jeremiahc4
Builder
‎10-22-2014 08:01 AM

That number depends on how many searches you may be running. I seem to only have 2 splunkd processes running which aren't specific searches. Occasionally I'll see another pop up when rolling buckets for instance. Try this command to narrow the field unless you are interested in how many searches are in process.

 ps uax | grep splunkd | grep -v grep | grep -v search
Reply
Solved! Jump to solution

daniel_hanft
Explorer
‎10-23-2014 05:21 AM

Thank you jeremiahc4. When I type your command, I get a total number of 3 processes running.

The output is this:

splunk    9338 21.0  0.0 948748 79344 ?        Sl   Oct17 1845:41 splunkd -p 8089 restart

splunk    9339  0.0  0.0  49236  3428 ?        Ss   Oct17   5:50 [splunkd pid=9338] splunkd -p 8089 restart [process-runner]

splunk    9406  0.0  0.0  49192 11692 ?        Ss   Oct17   7:10 /opt/splunk/bin/splunkd instrument-resource-usage

So can I assume a number of 3 processes is normal on an Splunk Indexer?

0 Karma
Reply
Solved! Jump to solution

jeremiahc4
Builder
‎10-23-2014 11:07 AM

The first two are constant (splunkd -p 8089...). The third looks like a maintenance process and might not be there all the time. I'd go with 2 minimum for your process monitor (i.e. greater than 2 = good).

0 Karma
Reply
Solved! Jump to solution

daniel_hanft
Explorer
‎10-23-2014 11:31 PM

Thank you @jeremiahc4 🙂

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Splunk Observability Metrics Cost Optimization

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...