Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit ps.sh to limit process getting in ingest for Splunk Add-on for Unix and Linux

tgmvt03
Engager
‎08-21-2018 01:01 PM

Hello,
I'm trying to only get a certain server processes to ingest to splunk index using Splunk Add-on for Unix and Linux script by editing the ps.sh script by adding grep command in there. like below.
However i'm getting error like
ERROR: Unsupported option (BSD syntax)
or
ERROR: Garbage option.

edit:
CMD='ps auxww|grep nc'

Could someone please direct me to document how to add grep in or some guidance how to get this ps.sh script to works?

thank you

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎08-21-2018 08:44 PM

@tgmvt03 ,

Depending on your OS version, you could add the list of commands (process names) to be displayed using -C. Grep will remove the headers also which is used in final output

For e.g. for common Linux version, change the command

from

CMD='ps -wweo uname,pid,psr,pcpu,cputime,pmem,rsz,vsz,tty,s,etime,args'

to

CMD='ps -wwo uname,pid,psr,pcpu,cputime,pmem,rsz,vsz,tty,s,etime,args -C splunkd'

Two main differences :

  • Removed e from the command which is for selecting all processes.
  • Added -C with the command list - here for example splunkd

Have a look at ps man page

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎08-21-2018 08:44 PM

@tgmvt03 ,

Depending on your OS version, you could add the list of commands (process names) to be displayed using -C. Grep will remove the headers also which is used in final output

For e.g. for common Linux version, change the command

from

CMD='ps -wweo uname,pid,psr,pcpu,cputime,pmem,rsz,vsz,tty,s,etime,args'

to

CMD='ps -wwo uname,pid,psr,pcpu,cputime,pmem,rsz,vsz,tty,s,etime,args -C splunkd'

Two main differences :

  • Removed e from the command which is for selecting all processes.
  • Added -C with the command list - here for example splunkd

Have a look at ps man page

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Get Updates on the Splunk Community!

Changes to Splunk Instructor-Led Training Completion Criteria

We’re excited to share an update to our instructor-led training program that enhances the learning experience ...

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

❄️ Welcome the new year with our January lineup of Community Office Hours, Tech Talks, and Webinars! 🎉 ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...