Solved: Re: How to create visualizations by using Unix top...

rajgowd1 · ‎01-17-2017

Hi,
i have a cronjob which has some performance related scripts which run for every 5 mins and sends output to indexed folder.

attaching the top command output: link text

I'd like respective graphs using Unix top command output. How can we create the visualizations by using top output? any help is appreciated

woodcock · ‎01-17-2017

First make sure that each run's output is treated as a single event:
https://docs.splunk.com/Documentation/Splunk/6.5.1/Data/Configureeventlinebreaking

Then use multikv to create multiple events from that:
http://blogs.splunk.com/2007/08/23/ripping-mulitline-events-at-seach-time/
https://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Multikv

View solution in original post

woodcock · ‎01-19-2017

For uptime, you do not multikv, just send the entire output in as a single event and use a field extraction like this:

... | rex "(?<time>.*)\s+up\s+(?<updays>.*)\s+days,\s+(?<uphours>\d+):(?<upminutes>\d+),\s+(?<num_users>\d+)\s+users,\s+load\s+average:\s+(?<avgload_1minute>.+),\s+(?<avgload_5minutes>.+),\s+(?<avgload_15minutes>.+)"

rajgowd1 · ‎01-19-2017

Thank you,I was not able to copy my output.

Usually when we run uptime command in Linux it shows load average with 3 values delimited by a comma.
Can we visualize these load average values in any kind of chart.

woodcock · ‎01-19-2017

You can then add this:

... | timechart avg(avgload*) BY host

woodcock · ‎01-17-2017

First make sure that each run's output is treated as a single event:
https://docs.splunk.com/Documentation/Splunk/6.5.1/Data/Configureeventlinebreaking

Then use multikv to create multiple events from that:
http://blogs.splunk.com/2007/08/23/ripping-mulitline-events-at-seach-time/
https://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Multikv

rajgowd1 · ‎01-17-2017

thank you,i am checking and working on it,i will update on this thread once i implement the same

rajgowd1 · ‎01-19-2017

Hi,
i am working on uptime command.can we show below uptime load average results in line chart?

13:43:55 up 74 days, 4:08, 2 users, load average: 0.11, 0.05, 0.01

rajgowd1 · ‎01-19-2017

i have written a script which display output like below.can we create any kind of chart with below out put

woodcock · ‎01-19-2017

Post the output of the script here.

somesoni2 · ‎01-17-2017

Is the output of whole command available in Splunk as part of one event?

rajgowd1 · ‎01-17-2017

No,
when i index the output,i selected source type as generic_single_line,so its displaying each line as one event.

i am not very sure,which one is good for displaying like total output as one event or each line as one event.

rajgowd1 · ‎01-17-2017

will it work if i make it as one event?

rajgowd1 · ‎01-17-2017

can we show them based on top output like

total memory
used memory
free and cached
total swap
used swap
free and buffered swap

top users consumed CPU,memory and PID

How to create visualizations by using Unix top command output?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Join the Conversation