Splunk Search

How can I alter the searches being executed by *NIX app?

jchilovich
New Member

Based on other questions submited, it looks like I might be able to change the inputs.conf file but need to make sure.

what I want to do is limit the data pulled in on 'top' & 'ps'. I want to add " | HEAD 20". If I'm reading this right, I can add that command on the line following 'source = top' as I have below. is this correct? Is there a better way to accomplish this? any pointers would be appreciated.

[script://./bin/top.sh]
interval = 60
sourcetype = top
| head 20 (<==== new entry)
source = top
index = os
disabled = 1

Tags (1)
0 Karma

emiller42
Motivator

What you're altering there isn't a search, it's an input stanza. So that syntax isn't going to do anything functional. If you want to modify what those scripts output, you'll need to go into $SPLUNK_HOME/etc/apps/unix/bin/ and then modify the relevant script.

As to what to change in the script to accomplish what you want, that depends on the platform. You're working with shell scripts there, not Splunk specific language.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...