Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Enterprise
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Splunk Platform Products
- :
- Splunk Enterprise
- :
- Splunk Addon for nix Not showing the entire COMMAN...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk Addon for nix Not showing the entire COMMAND name
ocgovsplunk
Engager
03-03-2021
01:01 PM
Hi all,
I have deployed the splunk Addon for Nix on my Linux Server and enabled the top.sh script.
The script does not return my full command names, it does add a '+' plus sign at the end of command which are longer. The log looks like this
826 root 20 0 474240 8664 6640 S 0.0 0.1 18:36.67 NetworkMan+
When I run the script locally it does show the entire COMMAND Name
826 root 20 0 474240 8664 6640 S 0.0 0.1 18:36.72 NetworkManager
Here is my props.conf section for it
# The "app" field is the conjunction of COMMAND plus ARGS
# Note that the UNIX app joins arguments with an underscore.
EVAL-app = if(ARGS!="<noArgs>", COMMAND." ".ARGS,COMMAND)
EVAL-process = if(ARGS!="<noArgs>", COMMAND." ".ARGS,COMMAND)
EVAL-process_name = replace(COMMAND, "[\[\]()]", "")
# Truncate needless leading zeroes from the cumulative CPU time field.
EVAL-cpu_time = replace(CPUTIME, "^00:[0]{0,1}", "")
EVAL-time = replace(CPUTIME, "^00:[0]{0,1}", "")
# UsedBytes is calculated as RSZ_KB*1024. Previously it was calculated using
# %MEM and the "Mem:" header from "top -bn 1", which tended to underestimate
# compared to this value. This is a rough measure of resident set size (i.e.,
# physical memory in use).
EVAL-mem_used=RSZ_KB*1024
EVAL-UsedBytes=RSZ_KB*1024
[time]
SHOULD_LINEMERGE=false
LINE_BREAKER=^((?!))$
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
[source::...top.sample]
sourcetype = top
HEADER_MODE = always
SHOULD_LINEMERGE = false
[top]
SHOULD_LINEMERGE=false
LINE_BREAKER=(^$|[\r\n]+[\r\n]+)
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE=multi
FIELDALIAS-user = USER as user
FIELDALIAS-process = COMMAND as process
FIELDALIAS-cpu_load_percent = pctCPU as cpu_load_percent
EVAL-vendor_product = if(isnull(vendor_product), "NIX", vendor_product)
top.sh script
. `dirname $0`/common.sh
HEADER=' PID USER PR NI VIRT RES SHR S pctCPU pctMEM cpuTIME COMMAND'
PRINTF='{printf "%6s %-14s %4s %4s %6s %6s %6s %2s %6s %6s %12s %-s\n", $1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12}'
CMD='top'
if [ "x$KERNEL" = "xLinux" ] ; then
CMD='top -bn 1'
FILTER='{if (NR < 7) next}'
HEADERIZE='{NR == 7 && $0 = header}'
assertHaveCommand $CMD
$CMD | tee $TEE_DEST | $AWK "$HEADERIZE $FILTER $FORMAT $PRINTF" header="$HEADER"
echo "Cmd = [$CMD]; | $AWK '$HEADERIZE $FILTER $FORMAT $PRINTF' header=\"$HEADER\"" >> $TEE_DEST
Get Updates on the Splunk Community!
Splunk Custom Visualizations App End of Life
The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...
Introducing Splunk Enterprise 9.2
WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...
Adoption of RUM and APM at Splunk
Unleash the power of Splunk Observability
Watch Now
In this can't miss Tech Talk! The Splunk Growth ...
