About Splunk sidecars

A sidecar is a process that runs alongside splunkd to perform specific functions. As a long-running component, it requires continuous monitoring. Sidecars extend and enhance capabilities of the Splunk environment.

Sidecars affect your Splunk platform environment as follows:

  • They appear in the process tree as subprocesses of splunkd.
  • Sidecars can occupy network ports.
  • Some operating system tools, such as endpoint security scanners in on-premises environment, might fire alerts due to their presence.

How does the SCIM sidecar work?

The SCIM sidecar is available on the Splunk platform. It automatically deletes users removed by an administrator from the organization's Identity provider. This sidecar complies with the System for Cross-domain Identity Management (SCIM) standard.

The SCIM sidecar is listed in the manifest.yaml file.

A process that manages the SCIM sidecar is called the supervisor.

The splunkd process controls compsup, the process of the SCIM sidecar, in the following way:

  1. splunkd initiates the supervisor.
  2. The supervisor starts and monitors the SCIM sidecar and sends metrics.
  3. If the SCIM sidecar becomes unhealthy and terminates, the supervisor restarts it.
  4. If splunkd stops, the supervisor and the SCIM sidecar might continue running, but are restarted when splunkd restarts.
    For example, they might continue running in these scenarios:

    • splunkd is killed or crashes.

    • The SCIM sidecar does not shut down promptly after the splunk stop command is run. This delay blocks the graceful shutdown of the supervisor. As a result, splunkd terminates its direct child, the supervisor, which may leave the SCIM sidecar running. When the supervisor restarts, it restarts the SCIM sidecar.