BigFix property to check if service is running - Linux

AtanasR 2021-04-06 19:53:54 UTC #1

So I’m trying to create a BigFix property which will be used for analysis.

The purpose of that property is to check the status of a given services on Linux machines - Running or Stopped

Tried something like that but without success:
exists process whose (name of it as string as lowercase = “splunkd”) then “Running” else “Stopped”) else “”)

Any ideas

Thanks !

JasonWalker 2021-04-06 20:40:14 UTC #2

Not enough ‘if’ and too many ‘else’, I think. Try

If exists processes whose (name of it as string as lowercase = "splunkd") then "Running" else "Stopped"

AtanasR 2021-04-06 20:57:05 UTC #3

Bingo !

It works perfect

Thank you

FatScottishGuy 2021-04-07 12:16:02 UTC #4

This guy (me) that’s been doing exists running service "ServiceName" forever and completely forgot about processes

Thanks for the reminder guys

AtanasR 2021-05-12 20:42:32 UTC #5

Hi @JasonWalker, i found old Splunk analysis written by you and I’m trying to updated few of the properties to work on Unix.

https://bigfix.me/analysis/details/2994522

Do you have any idea how i can modify the SplunkServerURI property to work for Unix as well

following text of first “=” of (it) of line whose( ( if it does not contain “;” then it else preceding text of first “;” of it) as uppercase contains “TARGETURI” ) of file (value “InstallLocation” of (keys of (key “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall” of native registry)) whose (value “DisplayName” of it = “Universal Forwarder” and value “Publisher” of it=“Splunk, Inc.”) as string & “etc\system\local\deploymentclient.conf”) as trimmed string | “N/A”

Thank you !

JasonWalker 2021-05-12 20:47:24 UTC #6

Can you give the pathname of the file and sample file content? I don’t have a Splunk system handy anymore but with that I should be able to help.

AtanasR 2021-05-12 22:40:53 UTC #7

/opt/splunk/etc - file path

this is the content for the windows systems, i believe it is the same for Unix

[target-broker:deploymentServer]

Change the targetUri

targetUri = https://7.7.7.7:8089 (example)

AtanasR 2021-06-01 20:08:50 UTC #8

I got it working.

For UNIX it reads the data from file - /opt/splunkforwarder/etc/apps/local/deploymentclient.conf
For WIN it checks the registry

if windows of operating system then (unique values of (preceding text of last “:” of it | it) of (following text of last “.server=” of it | following text of last “.targeturi=” of it) of (it as lowercase) of variables whose(it as lowercase contains “.server=” OR it as lowercase contains “.targeturi=”) of files whose(name of it as lowercase ends with “.conf”) of folders “etc\system\local” of (folder it) of (it as string as trimmed string) of values “InstallLocation” of keys whose(exists values “DisplayName” whose(it as string contains “UniversalForwarder”) of it AND exists values whose(it as string as lowercase contains “splunk”) of it) of keys “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall” of (x64 registries; x32 registries)) else if unix of operating system then (unique values of (preceding text of last “:” of it | it) of (following text of last “.server=” of it | following text of last “.targeturi=” of it) of (it as lowercase) of variables whose(it as lowercase contains “.server=” OR it as lowercase contains “.targeturi=”) of file “/opt/splunkforwarder/etc/apps/local/deploymentclient.conf” ) else “Failed to determine”