Splunk Enterprise

Splunk Addon for nix Not showing the entire COMMAND name

ocgovsplunk
Engager

Hi all, 

 

I have deployed the splunk Addon for Nix on my Linux Server and enabled the top.sh script.

The script does not return my full command names, it does add a '+' plus sign at the end of command which are longer. The log looks like this 

 

 826  root              20     0  474240    8664    6640   S     0.0     0.1      18:36.67  NetworkMan+

 

 

When I run the script locally it does show the entire COMMAND Name 

 

  826  root              20     0  474240    8664    6640   S     0.0     0.1      18:36.72  NetworkManager

 

Here is my props.conf  section for it 

 

# The "app" field is the conjunction of COMMAND plus ARGS
# Note that the UNIX app joins arguments with an underscore.
EVAL-app = if(ARGS!="<noArgs>", COMMAND." ".ARGS,COMMAND)
EVAL-process = if(ARGS!="<noArgs>", COMMAND." ".ARGS,COMMAND)
EVAL-process_name = replace(COMMAND, "[\[\]()]", "")

# Truncate needless leading zeroes from the cumulative CPU time field.
EVAL-cpu_time = replace(CPUTIME, "^00:[0]{0,1}", "")
EVAL-time = replace(CPUTIME, "^00:[0]{0,1}", "")

# UsedBytes is calculated as RSZ_KB*1024. Previously it was calculated using
# %MEM and the "Mem:" header from "top -bn 1", which tended to underestimate
# compared to this value. This is a rough measure of resident set size (i.e.,
# physical memory in use).
EVAL-mem_used=RSZ_KB*1024
EVAL-UsedBytes=RSZ_KB*1024

[time]
SHOULD_LINEMERGE=false
LINE_BREAKER=^((?!))$
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT


[source::...top.sample]
sourcetype = top
HEADER_MODE = always
SHOULD_LINEMERGE = false

[top]
SHOULD_LINEMERGE=false
LINE_BREAKER=(^$|[\r\n]+[\r\n]+)
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE=multi
FIELDALIAS-user = USER as user
FIELDALIAS-process = COMMAND as process
FIELDALIAS-cpu_load_percent = pctCPU as cpu_load_percent
EVAL-vendor_product = if(isnull(vendor_product), "NIX", vendor_product)

 

top.sh script 

 

. `dirname $0`/common.sh

HEADER='   PID  USER              PR    NI    VIRT     RES     SHR   S  pctCPU  pctMEM       cpuTIME  COMMAND'
PRINTF='{printf "%6s  %-14s  %4s  %4s  %6s  %6s  %6s  %2s  %6s  %6s  %12s  %-s\n", $1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12}'

CMD='top'

if [ "x$KERNEL" = "xLinux" ] ; then
        CMD='top -bn 1'
        FILTER='{if (NR < 7) next}'
        HEADERIZE='{NR == 7 && $0 = header}'

assertHaveCommand $CMD
$CMD | tee $TEE_DEST | $AWK "$HEADERIZE $FILTER $FORMAT $PRINTF"  header="$HEADER"
echo "Cmd = [$CMD];  | $AWK '$HEADERIZE $FILTER $FORMAT $PRINTF' header=\"$HEADER\"" >> $TEE_DEST

 

 

 

 

 

 

 

Labels (3)
Tags (2)
0 Karma
Get Updates on the Splunk Community!

Welcome to the Future of Data Search & Exploration

You have more data coming at you than ever before. Over the next five years, the total amount of digital data ...

What’s new on Splunk Lantern in August

This month’s Splunk Lantern update gives you the low-down on all of the articles we’ve published over the past ...

This Week's Community Digest - Splunk Community Happenings [8.3.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...