I can get RSZ_KB and VSZ_KB stats from sourcetype=ps (and from top also but in different fields). These both values don't give us exact stats about how much swap space each process is using.

Here is the method I am using to calculate that on my Linux host:

grep Swap /proc/[1-9]*/smaps | grep -v '\W0 kB' > /tmp/swap1.out
sort -n -r -k2 /tmp/swap1.out > /tmp/swap.out

So now I can see in "swap.out" how much swap space each PID is using.

Can Splunk add a script to calculate swap for each PID in *NIX app or elsewhere?

Thanks.