Deployment Architecture

How can I get a complete list of processes used by Splunk for Linux?

cwl
Contributor

I am using 6.2.1 on Linux and we need a list of all processes that are used by splunk. I could find below list for windows environment.

http://docs.splunk.com/Documentation/Splunk/6.2.1/ReleaseNotes/RunningSplunkalongsideWindowsantiviru...
Can anyone advise on how to get a complete list of processes used by splunk for linux ?

Tags (2)
1 Solution

hexx
Splunk Employee
Splunk Employee

I would recommend to build such a list by searching against Splunk's own introspection logs, like so:

  • List of process names, no arguments:

    index=_introspection component=PerProcess
    | stats count by data.process
    | fields - count

    • Full command lines (process + arguments):

    index=_introspection component=PerProcess
    | eval args = if(isnotnull('data.search_props.sid'),"search (...)",'data.args')
    | eval process = 'data.process'." ".args
    | stats count by process
    | fields - count

View solution in original post

hexx
Splunk Employee
Splunk Employee

I would recommend to build such a list by searching against Splunk's own introspection logs, like so:

  • List of process names, no arguments:

    index=_introspection component=PerProcess
    | stats count by data.process
    | fields - count

    • Full command lines (process + arguments):

    index=_introspection component=PerProcess
    | eval args = if(isnotnull('data.search_props.sid'),"search (...)",'data.args')
    | eval process = 'data.process'." ".args
    | stats count by process
    | fields - count

aakwah
Builder
[root@node1~]# ps -aux | grep splunk
Warning: bad syntax, perhaps a bogus '-'? See /usr/share/doc/procps-3.2.8/FAQ
root     15438  2.5  5.2 315288 107984 ?       Sl   Jan19 311:55 splunkd -p 8089 restart
root     15439  0.1  0.3  52736  7340 ?        Ss   Jan19  24:02 [splunkd pid=15438] splunkd -p 8089 restart [process-runner]
root     15446  0.9  1.8 275552 37200 ?        Ssl  Jan19 112:42 mongod --dbpath=/opt/splunk/var/lib/splunk/kvstore/mongo --port=8191 --timeStampFormat=iso8601-utc --smallfiles --oplogSize=1000 --keyFile=/opt/splunk/var/lib/splunk/kvstore/mongo/splunk.key --setParameter=enableLocalhostAuthBypass=0 --sslMode=preferSSL --sslPEMKeyFile=/opt/splunk/etc/auth/server.pem --sslPEMKeyPassword=xxxxxxxx
root     15508  0.5  5.5 977624 113976 ?       Ssl  Jan19  68:25 /opt/splunk/bin/python -O /opt/splunk/lib/python2.7/site-packages/splunk/appserver/mrsparkle/root.py --proxied=127.0.0.1,8065,8000
root     15522  0.1  1.3  77300 28568 ?        Ssl  Jan19  22:05 /opt/splunk/bin/splunkd instrument-resource-usage -p 8089
root     24325  0.0  0.0 103236   800 pts/0    S+   00:26   0:00 grep splunk

cwl
Contributor

aakwah,
Thank you very much for your reply.The problem of ps -aux is that I can not get the processes which are not constantly running like splunk-optimize. Any advise on how to get those kind of process too ?

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...