Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit ps.sh to limit process getting in ingest for Splunk Add-on for Unix and Linux

tgmvt03
Engager
‎08-21-2018 01:01 PM

Hello,
I'm trying to only get a certain server processes to ingest to splunk index using Splunk Add-on for Unix and Linux script by editing the ps.sh script by adding grep command in there. like below.
However i'm getting error like
ERROR: Unsupported option (BSD syntax)
or
ERROR: Garbage option.

edit:
CMD='ps auxww|grep nc'

Could someone please direct me to document how to add grep in or some guidance how to get this ps.sh script to works?

thank you

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎08-21-2018 08:44 PM

@tgmvt03 ,

Depending on your OS version, you could add the list of commands (process names) to be displayed using -C. Grep will remove the headers also which is used in final output

For e.g. for common Linux version, change the command

from

CMD='ps -wweo uname,pid,psr,pcpu,cputime,pmem,rsz,vsz,tty,s,etime,args'

to

CMD='ps -wwo uname,pid,psr,pcpu,cputime,pmem,rsz,vsz,tty,s,etime,args -C splunkd'

Two main differences :

  • Removed e from the command which is for selecting all processes.
  • Added -C with the command list - here for example splunkd

Have a look at ps man page

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎08-21-2018 08:44 PM

@tgmvt03 ,

Depending on your OS version, you could add the list of commands (process names) to be displayed using -C. Grep will remove the headers also which is used in final output

For e.g. for common Linux version, change the command

from

CMD='ps -wweo uname,pid,psr,pcpu,cputime,pmem,rsz,vsz,tty,s,etime,args'

to

CMD='ps -wwo uname,pid,psr,pcpu,cputime,pmem,rsz,vsz,tty,s,etime,args -C splunkd'

Two main differences :

  • Removed e from the command which is for selecting all processes.
  • Added -C with the command list - here for example splunkd

Have a look at ps man page

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Get Updates on the Splunk Community!

Get Schooled with Splunk Education: Explore Our Latest Courses

At Splunk Education, we’re dedicated to providing incredible learning experiences that cater to every skill ...

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...