About Splunk sidecars

Sidecars are processes that run alongside splunkd to perform specific functions. As long-running components, they require continuous monitoring. Sidecars extend and enhance capabilities of the Splunk environment.

Sidecars affect your Splunk platform environment as follows:

  • They appear in the process tree as subprocesses of splunkd.
  • Sidecars can occupy network ports.
  • Some operating system tools, such as endpoint security scanners in on-premises environment, might fire alerts due to their presence.

How do sidecars work?

Sidecars are defined in the manifest.yaml file.

Note: Sidecar processes don't include a splunk prefix in their names.

A process that manages sidecars is called the supervisor.

The splunkd process controls sidecar processes in the following way:

  1. splunkd initiates the supervisor.
  2. The supervisor starts and monitors sidecars and sends metrics.
  3. The supervisor also restarts unhealthy and terminated sidecars if they are listed in the manifest.yaml file.
  4. If splunkd stops running, the supervisor and sidecars might continue running, but are restarted when splunkd restarts.
    For example, the supervisor and sidecars might continue running in these scenarios:

    • splunkd is killed or crashes.

    • Sidecars do not shut down promptly after the splunk stop command is run. This delay blocks the graceful shutdown of the supervisor. As a result, splunkd terminates its direct child, the supervisor, which may leave the sidecars running. When the supervisor restarts, it detects and restarts these sidecars.

List of sidecars

The following table presents the supervisor, available sidecars, and basic information about each process.

Sidecar name Process name Description Compatibility
Supervisor compsup Starts and monitors sidecars and sends metrics.
SCIM identity

Automatically deletes users removed by an administrator from the organization's Identity provider.

Uses the System for Cross-domain Identity Management (SCIM) standard.

Available on the Splunk platform.

Agent Management agent-manager Manages a large number of different types of Splunk agents, such as the Universal forwarder. To learn more, see About deployment server and forwarder management. Available on Splunk Enterprise.