Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How many Splunk processes are normal on a Linux indexer?

daniel_hanft
Explorer
‎10-22-2014 05:32 AM

Hi Splunk Community,

how many splunk processes are normal on a Linux Indexer? I've observed sometimes there are up to 37 processes on one system (when using the command: # ps uax | grep splunk).
Can someone tell me a good threshold value we can configure in our system monitoring tool for alerting?

Many thanks in advance.

Daniel

Reply
1 Solution
Solved! Jump to solution
Solution

jeremiahc4
Builder
‎10-22-2014 08:01 AM

That number depends on how many searches you may be running. I seem to only have 2 splunkd processes running which aren't specific searches. Occasionally I'll see another pop up when rolling buckets for instance. Try this command to narrow the field unless you are interested in how many searches are in process.

 ps uax | grep splunkd | grep -v grep | grep -v search

View solution in original post

Reply
Solved! Jump to solution

sowings
Splunk Employee
Splunk Employee
‎10-22-2014 09:29 AM

Typically there's one monolithic splunkd process, then two for each running search (a helper and the actual searcher). These may show "rt" in the search name if they are real time searches. Additionally, as @jeremiahc4 points out, other maintenance processes may start up additional copies of splunkd.

Reply
Solved! Jump to solution
Solution

jeremiahc4
Builder
‎10-22-2014 08:01 AM

That number depends on how many searches you may be running. I seem to only have 2 splunkd processes running which aren't specific searches. Occasionally I'll see another pop up when rolling buckets for instance. Try this command to narrow the field unless you are interested in how many searches are in process.

 ps uax | grep splunkd | grep -v grep | grep -v search
Reply
Solved! Jump to solution

daniel_hanft
Explorer
‎10-23-2014 05:21 AM

Thank you jeremiahc4. When I type your command, I get a total number of 3 processes running.

The output is this:

splunk    9338 21.0  0.0 948748 79344 ?        Sl   Oct17 1845:41 splunkd -p 8089 restart

splunk    9339  0.0  0.0  49236  3428 ?        Ss   Oct17   5:50 [splunkd pid=9338] splunkd -p 8089 restart [process-runner]

splunk    9406  0.0  0.0  49192 11692 ?        Ss   Oct17   7:10 /opt/splunk/bin/splunkd instrument-resource-usage

So can I assume a number of 3 processes is normal on an Splunk Indexer?

0 Karma
Reply
Solved! Jump to solution

jeremiahc4
Builder
‎10-23-2014 11:07 AM

The first two are constant (splunkd -p 8089...). The third looks like a maintenance process and might not be there all the time. I'd go with 2 minimum for your process monitor (i.e. greater than 2 = good).

0 Karma
Reply
Solved! Jump to solution

daniel_hanft
Explorer
‎10-23-2014 11:31 PM

Thank you @jeremiahc4 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...