- Splunk Answers
- :
- Splunk Premium Solutions
- :
- IT Ops Premium Solutions
- :
- Splunk IT Service Intelligence
- :
- Top 5 UNIX/Linux processes as per CPU
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Top 5 UNIX/Linux processes as per CPU
I am trying to build a dashboard for listing of 5 top unix processes by CPU by using macro Top_5_CPU_Processes_by_Host(*) as listed in following link:-
https://docs.splunk.com/Documentation/UnixApp/5.2.4/User/Savedsearches
Can someone please guide me how to use this macro search?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First make sure you deploy the Splunk Add-on for Unix and Linux on the servers you are trying to monitor (universal forwarders). By doing this, you will be receiving data from these servers as mentioned on the add-on documentation.
http://docs.splunk.com/Documentation/AddOns/released/UnixLinux/About
This add-on will populate the index and sourcetypes needed so you can run search queries against it to build reports/dashboards, and populate data for the App.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can directly call this macro in your search/dashboard provided the dashboard has access to this macro - in other terms, share this macro with the app where you are creating the dashboard,
Try executing this macro in your search bar with " `Top_5_CPU_Processes_by_Host(*) ` " . Make sure that you have the backticks (`) while calling the macro
Alternatively, you can use the search which is used behind this macro
index=os sourcetype=top host=* | stats max(pctCPU) as maxCPU by host, COMMAND, _time | sort -maxCPU | dedup 5 host
Change the index if you are using other index than os
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also , where can we check commands running behind macros?
Thanks,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Ranjith,
Is there a way I can check commands running behind Macros?
Thanks,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, just open the macros.conf from the app's default/local directory and you should see this macro definition
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Control Shift E will expand macros, as documented here , in newer Splunk versions
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Nair for your reply.
There is not sourcetype=top , so could not get any result.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@bsaujla131984 ,
Have you enabled the input for top in your inputs.conf ?
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
