Splunk IT Service Intelligence

Top 5 UNIX/Linux processes as per CPU

bsaujla131984
Path Finder

I am trying to build a dashboard for listing of 5 top unix processes by CPU by using macro Top_5_CPU_Processes_by_Host(*) as listed in following link:-

https://docs.splunk.com/Documentation/UnixApp/5.2.4/User/Savedsearches

Can someone please guide me how to use this macro search?

0 Karma

dedwards93
New Member

First make sure you deploy the Splunk Add-on for Unix and Linux on the servers you are trying to monitor (universal forwarders). By doing this, you will be receiving data from these servers as mentioned on the add-on documentation.

http://docs.splunk.com/Documentation/AddOns/released/UnixLinux/About

This add-on will populate the index and sourcetypes needed so you can run search queries against it to build reports/dashboards, and populate data for the App.

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@bsaujla131984 ,

You can directly call this macro in your search/dashboard provided the dashboard has access to this macro - in other terms, share this macro with the app where you are creating the dashboard,

Try executing this macro in your search bar with " `Top_5_CPU_Processes_by_Host(*) ` " . Make sure that you have the backticks (`) while calling the macro

Alternatively, you can use the search which is used behind this macro

index=os sourcetype=top host=* | stats max(pctCPU) as maxCPU by host, COMMAND, _time | sort -maxCPU | dedup 5 host

Change the index if you are using other index than os

Happy Splunking!
0 Karma

bsaujla131984
Path Finder

Also , where can we check commands running behind macros?

Thanks,

0 Karma

bsaujla131984
Path Finder

Hello Ranjith,

Is there a way I can check commands running behind Macros?

Thanks,

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

Yes, just open the macros.conf from the app's default/local directory and you should see this macro definition

Happy Splunking!
0 Karma

gjanders
SplunkTrust
SplunkTrust

Control Shift E will expand macros, as documented here , in newer Splunk versions

0 Karma

bsaujla131984
Path Finder

Thanks Nair for your reply.

There is not sourcetype=top , so could not get any result.

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@bsaujla131984 ,

Have you enabled the input for top in your inputs.conf ?

Happy Splunking!
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...