Splunk® User Behavior Analytics

Administer Splunk User Behavior Analytics

Start and stop Splunk UBA services from the command line

You can use some common command line interface (CLI) commands to perform the following administrative tasks in Splunk UBA:

You must be logged in to the Splunk UBA management node as the caspida user to run these commands.

Task CLI Commands
Stop and start the Splunk UBA web interface. Run the following commands on the management node:
sudo service caspida-ui stop
sudo service caspida-ui start
Stop and start the resource monitor services. Run the following commands on the management node:
sudo service caspida-resourcesmonitor stop
sudo service caspida-resourcesmonitor start

You can also tail the resource monitor log files to help you troubleshoot:

tail -f /var/log/caspida/monitor/resourcesMonitor.out
Synchronize configuration changes to all nodes in a distributed deployment. In any distributed deployment, changes to the /etc/caspida/local/conf/uba-site.properties file must be synchronized to all nodes in the cluster. To do this, run the following command on the management node:
/opt/caspida/bin/Caspida sync-cluster /etc/caspida/local/conf

For information on setting Splunk UBA configuration properties, see Manage Splunk UBA configuration properties in the uba-site.properties file .

Stop and start Splunk UBA services only on all nodes. The following services are stopped:
  • kafka-server
  • caspida-jobmanager
  • caspida-eventstore
  • caspida-outputconnector
  • caspida-jobagent
  • caspida-ui
  • caspida-offlinerulexec
  • caspida-realtimetuleexec
  • caspida-resourcemonitor
  • caspida-sysmon
  • spark-master
  • spark-worker
  • spark-history
Run the following command on the management node:
/opt/caspida/bin/Caspida stop
/opt/caspida/bin/Caspida start
Stop and start Splunk UBA services (listed with the /opt/caspida/bin/Caspida stop/start command) and all dependent platform services on all nodes:
  • zookeeper-server
  • hadoop-hdfs-namenode
  • hadoop-hdfs-datanode
  • hadoop-hdfs-secondarynamenode
  • influxdb
  • postgresql
  • redis-server
  • hive-metastore
  • impala-state-store
  • impala-catalog
  • impala-server
  • docker
  • kubelet
Run the following command on the management node:
/opt/caspida/bin/Caspida stop-all
/opt/caspida/bin/Caspida start-all
Stop and start the Splunk UBA containers. Run the following command on the management node:
/opt/caspida/bin/Caspida stop-containers
/opt/caspida/bin/Caspida start-containers
Stop and start the Splunk UBA data sources. Run the following command on the management node:
/opt/caspida/bin/Caspida stop-datasources
/opt/caspida/bin/Caspida start-datasources
Check the version number of your Splunk UBA packages. Run the following command on Ubuntu systems:
wget --version

Run the following command on other supported Linux systems:

rpm -qa | grep wget
Get a list of the nodes in your Splunk UBA cluster.
grep caspida.cluster.nodes /opt/caspida/conf/deployment/caspida-deployment.conf
Last modified on 13 December, 2023
Determine which version of Splunk UBA you are running   Manage Splunk UBA configuration properties in the uba-site.properties file

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.4.1, 5.0.5, 5.0.5.1, 5.1.0, 5.1.0.1, 5.2.0, 5.2.1, 5.3.0, 5.4.0, 5.4.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters