Deployment Architecture

How can I get a complete list of processes used by Splunk for Linux?

cwl
Contributor

I am using 6.2.1 on Linux and we need a list of all processes that are used by splunk. I could find below list for windows environment.

http://docs.splunk.com/Documentation/Splunk/6.2.1/ReleaseNotes/RunningSplunkalongsideWindowsantiviru...
Can anyone advise on how to get a complete list of processes used by splunk for linux ?

Tags (2)
1 Solution

hexx
Splunk Employee
Splunk Employee

I would recommend to build such a list by searching against Splunk's own introspection logs, like so:

  • List of process names, no arguments:

    index=_introspection component=PerProcess
    | stats count by data.process
    | fields - count

    • Full command lines (process + arguments):

    index=_introspection component=PerProcess
    | eval args = if(isnotnull('data.search_props.sid'),"search (...)",'data.args')
    | eval process = 'data.process'." ".args
    | stats count by process
    | fields - count

View solution in original post

hexx
Splunk Employee
Splunk Employee

I would recommend to build such a list by searching against Splunk's own introspection logs, like so:

  • List of process names, no arguments:

    index=_introspection component=PerProcess
    | stats count by data.process
    | fields - count

    • Full command lines (process + arguments):

    index=_introspection component=PerProcess
    | eval args = if(isnotnull('data.search_props.sid'),"search (...)",'data.args')
    | eval process = 'data.process'." ".args
    | stats count by process
    | fields - count

aakwah
Builder
[root@node1~]# ps -aux | grep splunk
Warning: bad syntax, perhaps a bogus '-'? See /usr/share/doc/procps-3.2.8/FAQ
root     15438  2.5  5.2 315288 107984 ?       Sl   Jan19 311:55 splunkd -p 8089 restart
root     15439  0.1  0.3  52736  7340 ?        Ss   Jan19  24:02 [splunkd pid=15438] splunkd -p 8089 restart [process-runner]
root     15446  0.9  1.8 275552 37200 ?        Ssl  Jan19 112:42 mongod --dbpath=/opt/splunk/var/lib/splunk/kvstore/mongo --port=8191 --timeStampFormat=iso8601-utc --smallfiles --oplogSize=1000 --keyFile=/opt/splunk/var/lib/splunk/kvstore/mongo/splunk.key --setParameter=enableLocalhostAuthBypass=0 --sslMode=preferSSL --sslPEMKeyFile=/opt/splunk/etc/auth/server.pem --sslPEMKeyPassword=xxxxxxxx
root     15508  0.5  5.5 977624 113976 ?       Ssl  Jan19  68:25 /opt/splunk/bin/python -O /opt/splunk/lib/python2.7/site-packages/splunk/appserver/mrsparkle/root.py --proxied=127.0.0.1,8065,8000
root     15522  0.1  1.3  77300 28568 ?        Ssl  Jan19  22:05 /opt/splunk/bin/splunkd instrument-resource-usage -p 8089
root     24325  0.0  0.0 103236   800 pts/0    S+   00:26   0:00 grep splunk

cwl
Contributor

aakwah,
Thank you very much for your reply.The problem of ps -aux is that I can not get the processes which are not constantly running like splunk-optimize. Any advise on how to get those kind of process too ?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...