Deployment Architecture

Splunk sourcetype top to capture memory in terabyte

harry521
New Member

Splunk has a top sourcetype which can help to monitor the system resource usage. I recently ran into a problem while the RH7 outputs RES in terabyte(t) while process is over 10G of memory usage. The top output in Splunk is in KB as what I understand, and converts MB, GB correctly, but not TB. I had looked into the top script and sourcetype. Find no clue how MB or GB is converted. Any solution?

0 Karma

harry521
New Member

I actually found an answer for myself and it's simple. Instead of using "top" for memory, I switched to "ps". And the column "RSZ_KB" is the "RES" from top output. No more issue when memory go over 10G.

0 Karma

harry521
New Member

I looked into it a little bit more. I found out that might be something related to RH 7. I have RH 6 being monitored and that works well. For example: On both RH7 and 6, if RES is under 10G, it will be output the value converted to KB, like 10,000,000. However, on RH7, when it's above 10 G, it will be converted to TB like 0.01 and so on. This messed up my memory time chart.

I'm using splunk 6.5. Is there possibly a newer version has a patch or update of the top.sh script?

0 Karma

niketn
Legend

@harry521, what is the current query that you are running?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

harry521
New Member

simply execute ./bin/top.sh every x sec and search for sourcetype=top.

index=os sourcetype=top COMMAND="java"

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...