https://community.splunk.com/t5/Splunk-ITSI/Top-5-UNIX-Linux-processes-as-per-CPU/m-p/393725#M740 <P>Control Shift E will expand macros, as documented <A href="http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Usesearchmacros">here</A> , in newer Splunk versions</P> Thu, 27 Sep 2018 23:01:07 GMT gjanders 2018-09-27T23:01:07Z https://community.splunk.com/t5/Splunk-ITSI/Top-5-UNIX-Linux-processes-as-per-CPU/m-p/393721#M736 <P>I am trying to build a dashboard for listing of 5 top unix processes by CPU by using macro Top_5_CPU_Processes_by_Host(*) as listed in following link:-</P> <P><A href="https://docs.splunk.com/Documentation/UnixApp/5.2.4/User/Savedsearches" target="_blank">https://docs.splunk.com/Documentation/UnixApp/5.2.4/User/Savedsearches</A></P> <P>Can someone please guide me how to use this macro search?</P> Tue, 29 Sep 2020 21:23:32 GMT https://community.splunk.com/t5/Splunk-ITSI/Top-5-UNIX-Linux-processes-as-per-CPU/m-p/393721#M736 bsaujla131984 2020-09-29T21:23:32Z https://community.splunk.com/t5/Splunk-ITSI/Top-5-UNIX-Linux-processes-as-per-CPU/m-p/393722#M737 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/137505">@bsaujla131984</a> ,</P> <P>You can directly call this macro in your search/dashboard provided the dashboard has access to this macro - in other terms, share this macro with the app where you are creating the dashboard,</P> <P>Try executing this macro in your search bar with " `Top_5_CPU_Processes_by_Host(*) ` " . Make sure that you have the backticks (`) while calling the macro</P> <P>Alternatively, you can use the search which is used behind this macro</P> <PRE><CODE>index=os sourcetype=top host=* | stats max(pctCPU) as maxCPU by host, COMMAND, _time | sort -maxCPU | dedup 5 host </CODE></PRE> <P>Change the index if you are using other index than <CODE>os</CODE></P> Tue, 29 Sep 2020 21:23:43 GMT https://community.splunk.com/t5/Splunk-ITSI/Top-5-UNIX-Linux-processes-as-per-CPU/m-p/393722#M737 renjith_nair 2020-09-29T21:23:43Z https://community.splunk.com/t5/Splunk-ITSI/Top-5-UNIX-Linux-processes-as-per-CPU/m-p/393723#M738 <P>Thanks Nair for your reply.</P> <P>There is not sourcetype=top , so could not get any result.</P> Thu, 27 Sep 2018 03:42:51 GMT https://community.splunk.com/t5/Splunk-ITSI/Top-5-UNIX-Linux-processes-as-per-CPU/m-p/393723#M738 bsaujla131984 2018-09-27T03:42:51Z https://community.splunk.com/t5/Splunk-ITSI/Top-5-UNIX-Linux-processes-as-per-CPU/m-p/393724#M739 <P>Also , where can we check commands running behind macros?</P> <P>Thanks,</P> Thu, 27 Sep 2018 03:49:48 GMT https://community.splunk.com/t5/Splunk-ITSI/Top-5-UNIX-Linux-processes-as-per-CPU/m-p/393724#M739 bsaujla131984 2018-09-27T03:49:48Z https://community.splunk.com/t5/Splunk-ITSI/Top-5-UNIX-Linux-processes-as-per-CPU/m-p/393725#M740 <P>Control Shift E will expand macros, as documented <A href="http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Usesearchmacros">here</A> , in newer Splunk versions</P> Thu, 27 Sep 2018 23:01:07 GMT https://community.splunk.com/t5/Splunk-ITSI/Top-5-UNIX-Linux-processes-as-per-CPU/m-p/393725#M740 gjanders 2018-09-27T23:01:07Z https://community.splunk.com/t5/Splunk-ITSI/Top-5-UNIX-Linux-processes-as-per-CPU/m-p/393726#M741 <P>@bsaujla131984 ,</P> <P>Have you enabled the input for top in your inputs.conf ? </P> Fri, 28 Sep 2018 12:37:18 GMT https://community.splunk.com/t5/Splunk-ITSI/Top-5-UNIX-Linux-processes-as-per-CPU/m-p/393726#M741 renjith_nair 2018-09-28T12:37:18Z https://community.splunk.com/t5/Splunk-ITSI/Top-5-UNIX-Linux-processes-as-per-CPU/m-p/393727#M742 <P>Hello Ranjith,</P> <P>Is there a way I can check commands running behind Macros?</P> <P>Thanks,</P> Sun, 30 Sep 2018 01:00:15 GMT https://community.splunk.com/t5/Splunk-ITSI/Top-5-UNIX-Linux-processes-as-per-CPU/m-p/393727#M742 bsaujla131984 2018-09-30T01:00:15Z https://community.splunk.com/t5/Splunk-ITSI/Top-5-UNIX-Linux-processes-as-per-CPU/m-p/393728#M743 <P>First make sure you deploy the Splunk Add-on for Unix and Linux on the servers you are trying to monitor (universal forwarders). By doing this, you will be receiving data from these servers as mentioned on the add-on documentation.</P> <P><A href="http://docs.splunk.com/Documentation/AddOns/released/UnixLinux/About">http://docs.splunk.com/Documentation/AddOns/released/UnixLinux/About</A></P> <P>This add-on will populate the index and sourcetypes needed so you can run search queries against it to build reports/dashboards, and populate data for the App.</P> Sun, 30 Sep 2018 17:31:04 GMT https://community.splunk.com/t5/Splunk-ITSI/Top-5-UNIX-Linux-processes-as-per-CPU/m-p/393728#M743 dedwards93 2018-09-30T17:31:04Z https://community.splunk.com/t5/Splunk-ITSI/Top-5-UNIX-Linux-processes-as-per-CPU/m-p/393729#M744 <P>Yes, just open the macros.conf from the app's default/local directory and you should see this macro definition</P> Mon, 01 Oct 2018 16:11:24 GMT https://community.splunk.com/t5/Splunk-ITSI/Top-5-UNIX-Linux-processes-as-per-CPU/m-p/393729#M744 renjith_nair 2018-10-01T16:11:24Z