Does 6.5 launch more pids?

a212830 · ‎07-27-2017

Hi,

I noticed today that there seems to be a lot more pids running by Splunk in 6.5. Is this by design? Below is an example - I don't recall seeing these "launcher" pids before.

splunk 1971 1 99 21:23 ? 00:10:19 splunkd -p 8089 restart
splunk 1978 1971 0 21:23 ? 00:00:00 [splunkd pid=1971] splunkd -p 8089 restart [process-runner]
splunk 5953 1978 0 21:30 ? 00:00:01 [splunkd pid=1971] [search-launcher]
splunk 5954 5953 0 21:30 ? 00:00:00 [splunkd pid=1971] [search-launcher] [process-runner]
splunk 5956 1978 0 21:30 ? 00:00:01 [splunkd pid=1971] [search-launcher]
splunk 5964 5956 0 21:30 ? 00:00:00 [splunkd pid=1971] [search-launcher] [process-runner]

nagrajkulkarni · ‎11-04-2018

Are these the "pre-launched" search processes?

sloshburch · ‎07-28-2017

You seeing this on SH, Indexer, Utility, everything?

Honestly that seems fishy that they are the same. Did they clear after restart or are they persisting?

Compared to my DS, I only see relevant looking pids.

I'd suggest stopping splunk and seeing is there's any remaining pids. If so, kill those zombies (head shot FTW) and then start splunk and I'm guessing you're good. Sometimes unix processes just live on so I've seen that quirk before.

s2_splunk · ‎07-28-2017

This looks OK to me. The [splunkd pid=1971] shows that those processes tie back to the main splunkd launch process. The PID chain looks accurate.
5954 and 5964 may be the two default DMA (data model acceleration) search processes that were introduced in 6.5, but I am not 100% certain.

a212830 · ‎07-28-2017

Hey Burch!

I see it on all my components - idx, sh... anything that runs a search.

Does 6.5 launch more pids?

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM