Home » Software » Splunk Status and Locations

Splunk Status and Locations

January 25, 2024No CommentsSoftware

Use a combination of shell commands to list the details of the files and output them to a CSV file named after the current directory.

Here’s a sample command that does this:

ls -la | awk -v pwd="$(basename `pwd`)" -v OFS=',' 'BEGIN {print "Permissions,Number,Owner,Group,Size,Month,Day,Time,Name"; } NR>1 {print $1,$2,$3,$4,$5,$6,$7,$8,$9}' > "/Users/Shared/"pwd".csv"

ls -la | awk -v pwd="$(basename `pwd`)" -v year="$(date +%Y)" -v OFS=',' 'BEGIN {print "Permissions,Number,Owner,Group,Size,Month,Day,Year/Time,Name";} NR>1 {if($8 ~ /:/) print $1,$2,$3,$4,$5,$6,$7,year,$9; else print $1,$2,$3,$4,$5,$6,$7,$8,$9}' > "/Users/Shared/"pwd".csv"

defaults

cd /Applications/splunkforwarder/etc/apps/SplunkUniversalForwarder/default

List of Apps

cd /Applications/splunkforwarder/etc/apps

Export details to Users/Shared
ls -l /Applications/splunkforwarder/etc/apps | awk 'BEGIN {OFS=","; print "AppName,LastModified"} NR>1 {print $9, $6" "$7" "$8}' > /Users/Shared/splunk_apps.csv

Check and Count splunkd Processes:

ps aux | grep '[s]plunkd' | wc -l
Explanation:
ps aux: Lists all running processes.
grep ‘[s]plunkd’: Filters the list to include only lines containing splunkd. The square brackets [s] are used to prevent grep itself from appearing in the output.
wc -l: Counts the number of lines, which corresponds to the number of splunkd processes.

List Details of splunkd Processes

ps aux | grep '[s]plunkd'
Explanation:
This command breaks down as follows:
ps aux lists every process on the system.
grep ‘[s]plunkd’ filters the list to include only lines containing splunkd. The square brackets are used to prevent grep itself from appearing in the output.
Understand the Output:

The output of ps aux provides a detailed snapshot of each process. Here’s what the columns mean:
USER: The username of the process owner.
PID: Process ID.
%CPU: The CPU usage percentage.
%MEM: The memory usage percentage.
VSZ: Virtual memory size.
RSS: Resident Set Size, the non-swapped physical memory the process is using.
TT: Controlling terminal.
STAT: Process state.
STARTED: Process start time.
TIME: CPU time used.
COMMAND: The command used to start the process, which can provide context about what the splunkd process is doing.

Execute the Command and Output to CSV:

ps aux | grep '[s]plunkd' | awk 'BEGIN {OFS=","; print "USER,PID,%CPU,%MEM,VSZ,RSS,TT,STAT,START,TIME,COMMAND"} {print $1,$2,$3,$4,$5,$6,$7,$8,$9,$10,$11}' > /Users/Shared/splunkd_processes.csv

Jamf Extension Attribute Check Splunk Status

#!/bin/zsh
#shellcheck shell=bash

splunk="/opt/splunkforwarder/bin/splunk"
splunkStatus=$($splunk status | grep -c "splunkd is running")

if [[ -e $splunk ]]; then
    if [[ "$splunkStatus" -ge 1 ]]; then
        echo "splunkd is running"
    else
        echo "splunkd is not running"
    fi
else
    echo "Not Installed"
fi

exit 0

#!/bin/zsh

splunk="/Applications/splunkforwarder/bin/splunk"

# Check if the Splunk binary exists
if [[ ! -e $splunk ]]; then
    echo "Not Installed"
    exit 0
fi

# Attempt to get the status of Splunk
splunkStatus=$($splunk status 2>/dev/null | grep -c "splunkd is running")

if [[ $? -ne 0 ]]; then
    echo "Error checking Splunk status"
    exit 1
fi

# Check the status and return the result
if [[ "$splunkStatus" -ge 1 ]]; then
    echo "splunkd is running"
else
    echo "splunkd is not running"
fi

exit 0

5 Attempt

Splunk

Last updated on January 25, 2024

Ed Arnold

A Technical Project Manager and Senior Apple Macintosh (macOS), iOS and Jamf MDM Engineer with over 30 years of expertise, excelling in leading the integration, security, and management of complex networked computer systems. My skills span the design, deployment, and optimization of a wide range of technologies, including COTS, GOTS, and custom open-source solutions.

View All Posts

Comments

No comments yet. Why don’t you start the discussion?