Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Addon for nix Not showing the entire COMMAND name

ocgovsplunk
Engager
‎03-03-2021 01:01 PM

Hi all, 

 

I have deployed the splunk Addon for Nix on my Linux Server and enabled the top.sh script.

The script does not return my full command names, it does add a '+' plus sign at the end of command which are longer. The log looks like this 

 

 826  root              20     0  474240    8664    6640   S     0.0     0.1      18:36.67  NetworkMan+

 

 

When I run the script locally it does show the entire COMMAND Name 

 

  826  root              20     0  474240    8664    6640   S     0.0     0.1      18:36.72  NetworkManager

 

Here is my props.conf  section for it 

 

# The "app" field is the conjunction of COMMAND plus ARGS
# Note that the UNIX app joins arguments with an underscore.
EVAL-app = if(ARGS!="<noArgs>", COMMAND." ".ARGS,COMMAND)
EVAL-process = if(ARGS!="<noArgs>", COMMAND." ".ARGS,COMMAND)
EVAL-process_name = replace(COMMAND, "[\[\]()]", "")

# Truncate needless leading zeroes from the cumulative CPU time field.
EVAL-cpu_time = replace(CPUTIME, "^00:[0]{0,1}", "")
EVAL-time = replace(CPUTIME, "^00:[0]{0,1}", "")

# UsedBytes is calculated as RSZ_KB*1024. Previously it was calculated using
# %MEM and the "Mem:" header from "top -bn 1", which tended to underestimate
# compared to this value. This is a rough measure of resident set size (i.e.,
# physical memory in use).
EVAL-mem_used=RSZ_KB*1024
EVAL-UsedBytes=RSZ_KB*1024

[time]
SHOULD_LINEMERGE=false
LINE_BREAKER=^((?!))$
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT


[source::...top.sample]
sourcetype = top
HEADER_MODE = always
SHOULD_LINEMERGE = false

[top]
SHOULD_LINEMERGE=false
LINE_BREAKER=(^$|[\r\n]+[\r\n]+)
TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE=multi
FIELDALIAS-user = USER as user
FIELDALIAS-process = COMMAND as process
FIELDALIAS-cpu_load_percent = pctCPU as cpu_load_percent
EVAL-vendor_product = if(isnull(vendor_product), "NIX", vendor_product)

 

top.sh script 

 

. `dirname $0`/common.sh

HEADER='   PID  USER              PR    NI    VIRT     RES     SHR   S  pctCPU  pctMEM       cpuTIME  COMMAND'
PRINTF='{printf "%6s  %-14s  %4s  %4s  %6s  %6s  %6s  %2s  %6s  %6s  %12s  %-s\n", $1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12}'

CMD='top'

if [ "x$KERNEL" = "xLinux" ] ; then
        CMD='top -bn 1'
        FILTER='{if (NR < 7) next}'
        HEADERIZE='{NR == 7 && $0 = header}'

assertHaveCommand $CMD
$CMD | tee $TEE_DEST | $AWK "$HEADERIZE $FILTER $FORMAT $PRINTF"  header="$HEADER"
echo "Cmd = [$CMD];  | $AWK '$HEADERIZE $FILTER $FORMAT $PRINTF' header=\"$HEADER\"" >> $TEE_DEST

 

 

 

 

 

 

 

Labels (3)
Tags (2)
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...

Introduction to Splunk AI

How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...