About Splunk sidecars
Sidecars are processes that run alongside splunkd to perform specific functions. As long-running components, they require continuous monitoring. Sidecars extend and enhance capabilities of the Splunk environment.
Sidecars affect your Splunk platform environment as follows:
- They appear in the process tree as subprocesses of splunkd.
- Sidecars can occupy network ports.
- Some operating system tools, such as endpoint security scanners in on-premises environment, might fire alerts due to their presence.
How do sidecars work?
Sidecars are defined in the manifest.yaml file.
A process that manages sidecars is called the supervisor.
The splunkd process controls sidecar processes in the following way:
- splunkd initiates the supervisor.
- The supervisor starts and monitors sidecars and sends metrics.
- If sidecars become unhealthy and terminate, the supervisor restarts them. Note: The supervisor restarts a specific sidecar if the manifest.yaml file states that this sidecar is enabled.
- If splunkd stops, sidecars might continue running, but are restarted when splunkd restarts.
List of sidecars
The following table presents the supervisor, available sidecars, and basic information about each process.
| Sidecar name | Process name | Description | Compatibility |
|---|---|---|---|
| Supervisor | compsup | Starts and monitors sidecars and sends metrics. | |
| SCIM | identity |
Automatically deletes users removed by an administrator from the organization's Identity provider. Uses the System for Cross-domain Identity Management (SCIM) standard. |
Available on the Splunk platform. |
| Agent Management | agent-manager | Manages a large number of different types of Splunk agents, such as the Universal forwarder. To learn more, see About deployment server and forwarder management. | Available on Splunk Enterprise. |