Unix/Linux process not running as user

I’m trying to find a process in unix/linux that is running, but not as a specified user. There are actually 2 processes with the name I’m looking for:

[root@dtutest opt]# ps axuww |grep [s]plunkd
splunk   12010  0.3  2.6 193104 105560 ?       Sl   10:50   0:03 splunkd -p 8089 restart
splunk   12017  0.0  0.2  65672 11216 ?        Ss   10:50   0:00 [splunkd pid=12010] splunkd -p 8089 restart [process-runner]

I want to narrow this down to the process that doesn’t have ‘process-runner’ in the command line arguments and then from there, I want to know if the process isn’t running as the splunk user. Here’s what I’ve tried, but I just can’t get the syntax correct:

Q: exists command line arguments whose (it as lowercase does not contain "runner") of process "splunkd"
E: Singular expression refers to non-unique object.
T: 13007

Q: name of user of process "splunkd"
A: splunk
E: Singular expression refers to non-unique object.
T: 7196

I have no idea how to actually get what I’m looking for, but pretty sure it’s possible. I feel like this is close but not getting what I want:

Q: name of user of process whose (name of it is "splunkd" and not exists command line arguments whose (it as lowercase does not contain "runner") of process "splunkd")
E: Singular expression refers to nonexistent object.
T: 21751

Any ideas?

Well, if anyone is reading this, I found the answer with a bit more Google-Fu…

exists processes whose (name of it = "splunkd" and name of user of it = "splunk")

3 Likes

It looks like your issue was just missing a plural. For a guide on how plurals work see this: https://developer.bigfix.com/relevance/guide/basics/singular-and-plural.html

The root of it is that when you do something like process "splunkd" you are saying, “give me the process with the name of splunkd”. Using the singular, “process” is telling the relevance engine that you are expecting exactly one result.

Here’s the result of this:

Q: name of process "test.exe"
E: Singular expression refers to nonexistent object.

Q: name of process "explorer.exe"
A: explorer.exe

Q: name of process "svchost.exe"
A: svchost.exe
E: Singular expression refers to non-unique object.

The only one that returned an answer instead of an error was the “explorer.exe” example because it was the only one that returned exactly one result.

So how do we work with this? With plurals. Instead of telling the relevance engine, “process” lets try “processes” (the plural form):

Q: names of processes "test.exe"

Q: names of processes "explorer.exe"
A: explorer.exe

Q: names of processes "svchost.exe"
A: svchost.exe
A: svchost.exe

When we use a plural we are telling the relevance engine to expect 0+ results, so 0 results is acceptable, 1 result is acceptable, and 100 results are acceptable.

So your error is because you’re telling the relevance engine that you want the process named splunkd but the relevance engine is seeing more than one and erroring as a result.

Try:

exists command line arguments whose (it as lowercase does not contain "runner") of processes "splunkd"

or

names of processes "splunkd" whose (not exists command line arguments whose (it as lowercase does not contain "runner" of it))

Bill