About Splunk sidecars
Sidecars are processes that run alongside splunkd to fulfill specific functions. They are long-running which means that they take a significant amount of time to complete and require monitoring.
Sidecars support introducing and improving capabilities in the Splunk environment. For example, several sidecars support enhanced data management in the on-premises environment. Using sidecars allows flexible feature development, efficient distribution of workloads, and improved system performance.
Sidecars are available on Splunk Enterprise and Splunk Cloud Platform. They affect your environment as follows:
- You can see multiple sidecars in the process tree as subprocesses of splunkd. Sidecars can occupy network ports.
- Some operating system tools, such as endpoint security scanners running in the on-premises environment, might fire alerts due to the changes related to sidecars.
How do sidecars work?
Sidecars included in Splunk Enterprise are listed in the manifest.yaml file.
You can distinguish the following types of sidecars:
- Sidecars that deploy features.
- Sidecars that support sidecars that deploy features, like IPC Broker and Spotlight.
A process that manages sidecars is called the supervisor.
-
It starts the supervisor sidecar.
-
The supervisor sidecar starts and monitors other sidecars and sends metrics.
-
The supervisor also restarts unhealthy and terminated sidecars if the manifest.yaml file specifies that they are enabled.
-
If splunkd stops running, sidecars might continue running, but are also restarted when splunkd restarts.
List of sidecars
The following table presents the supervisor, available sidecars, and basic information about each process.
| Sidecar name | Process name | Description | Compatibility |
|---|---|---|---|
| Supervisor | compsup | Starts and monitors sidecars and sends metrics. | |
| SCIM | identity |
Automatically deletes users removed by an administrator from the organization's Identity provider. Uses the standard System for Cross-domain Identity Management (SCIM) standard. |
Available on the Splunk platform. |
| Storage | postgres |
Helps manage the processes necessary to deploy a postgres instance. Supports enhanced data management in Splunk Enterprise. |
Available only on the Linux operating system. Available for single search heads. |
| Data Orchestration (DO) | cmp-orchestrator |
Coordinates running SPL2 searches, gathering results, and managing search metadata and SPL2 module files. Supports enhanced data management in Splunk Enterprise. |
Available on Splunk Enterprise. |
| Edge Processor Control Plane | edge-processor-config |
Enables Splunk Enterprise users to access Edge Processor features. Supports enhanced data management in Splunk Enterprise. |
Available only on the Linux operating system. Available for single search heads. |
| OpAmp | opamp-svc | Manages remote agents using Open Agent Management Protocol (OpAmp), such as Edge Processor or OpenTelemetry Connector. To learn more about this protocol, see https://opentelemetry.io/docs/specs/opamp in OpenTelemetry documentation. Supports enhanced data management in Splunk Enterprise. |
Available only on Linux operating system. Available for single search head and single deployment server configurations. |
| Agent Management | agent-manager | Manages a large number of different types of Splunk agents, such as the Splunk Universal ForwarderNo Content found for https://docs.splunk.com/Splexicon:Universalforwarder. | Available on Splunk Enterprise. |
| IPC Broker | ipc_broker | Handles inter-process communication between sidecars, such as assignment and discovery of ports. | Available on the Splunk platform. |
| Spotlight | spotlight-collector | On the Splunk platform, it enables metrics. On Splunk Enterprise, it also collects and saves telemetry data from sidecars and other components. | Available on the Splunk platform. |