BigFix property to check if service is running - Linux

AtanasR · April 6, 2021, 7:53pm

So I’m trying to create a BigFix property which will be used for analysis.

The purpose of that property is to check the status of a given services on Linux machines - Running or Stopped

Tried something like that but without success:
exists process whose (name of it as string as lowercase = “splunkd”) then “Running” else “Stopped”) else “”)

Any ideas

Thanks !

JasonWalker · April 6, 2021, 8:40pm

Not enough ‘if’ and too many ‘else’, I think. Try

If exists processes whose (name of it as string as lowercase = "splunkd") then "Running" else "Stopped"

AtanasR · April 6, 2021, 8:57pm

Bingo !

It works perfect

Thank you

FatScottishGuy · April 7, 2021, 12:16pm

This guy (me) that’s been doing exists running service "ServiceName" forever and completely forgot about processes

Thanks for the reminder guys

AtanasR · May 12, 2021, 8:42pm

Hi @JasonWalker, i found old Splunk analysis written by you and I’m trying to updated few of the properties to work on Unix.

https://bigfix.me/analysis/details/2994522

Do you have any idea how i can modify the SplunkServerURI property to work for Unix as well

following text of first “=” of (it) of line whose( ( if it does not contain “;” then it else preceding text of first “;” of it) as uppercase contains “TARGETURI” ) of file (value “InstallLocation” of (keys of (key “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall” of native registry)) whose (value “DisplayName” of it = “Universal Forwarder” and value “Publisher” of it=“Splunk, Inc.”) as string & “etc\system\local\deploymentclient.conf”) as trimmed string | “N/A”

Thank you !

JasonWalker · May 12, 2021, 8:47pm

Can you give the pathname of the file and sample file content? I don’t have a Splunk system handy anymore but with that I should be able to help.

AtanasR · May 12, 2021, 10:40pm

/opt/splunk/etc - file path

this is the content for the windows systems, i believe it is the same for Unix

[target-broker:deploymentServer]

Change the targetUri

targetUri = https://7.7.7.7:8089 (example)

AtanasR · June 1, 2021, 8:08pm

I got it working.

For UNIX it reads the data from file - /opt/splunkforwarder/etc/apps/local/deploymentclient.conf
For WIN it checks the registry

if windows of operating system then (unique values of (preceding text of last “:” of it | it) of (following text of last “.server=” of it | following text of last “.targeturi=” of it) of (it as lowercase) of variables whose(it as lowercase contains “.server=” OR it as lowercase contains “.targeturi=”) of files whose(name of it as lowercase ends with “.conf”) of folders “etc\system\local” of (folder it) of (it as string as trimmed string) of values “InstallLocation” of keys whose(exists values “DisplayName” whose(it as string contains “UniversalForwarder”) of it AND exists values whose(it as string as lowercase contains “splunk”) of it) of keys “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall” of (x64 registries; x32 registries)) else if unix of operating system then (unique values of (preceding text of last “:” of it | it) of (following text of last “.server=” of it | following text of last “.targeturi=” of it) of (it as lowercase) of variables whose(it as lowercase contains “.server=” OR it as lowercase contains “.targeturi=”) of file “/opt/splunkforwarder/etc/apps/local/deploymentclient.conf” ) else “Failed to determine”