Splunk IT Service Intelligence

Top 5 UNIX/Linux processes as per CPU

Path Finder

I am trying to build a dashboard for listing of 5 top unix processes by CPU by using macro Top5CPUProcessesby_Host(*) as listed in following link:-

https://docs.splunk.com/Documentation/UnixApp/5.2.4/User/Savedsearches

Can someone please guide me how to use this macro search?

0 Karma

New Member

First make sure you deploy the Splunk Add-on for Unix and Linux on the servers you are trying to monitor (universal forwarders). By doing this, you will be receiving data from these servers as mentioned on the add-on documentation.

http://docs.splunk.com/Documentation/AddOns/released/UnixLinux/About

This add-on will populate the index and sourcetypes needed so you can run search queries against it to build reports/dashboards, and populate data for the App.

0 Karma

SplunkTrust
SplunkTrust

@bsaujla131984 ,

You can directly call this macro in your search/dashboard provided the dashboard has access to this macro - in other terms, share this macro with the app where you are creating the dashboard,

Try executing this macro in your search bar with " `Top5CPUProcessesby_Host(*) ` " . Make sure that you have the backticks (`) while calling the macro

Alternatively, you can use the search which is used behind this macro

index=os sourcetype=top host=* | stats max(pctCPU) as maxCPU by host, COMMAND, _time | sort -maxCPU | dedup 5 host

Change the index if you are using other index than os

0 Karma

Path Finder

Also , where can we check commands running behind macros?

Thanks,

0 Karma

Path Finder

Hello Ranjith,

Is there a way I can check commands running behind Macros?

Thanks,

0 Karma

SplunkTrust
SplunkTrust

Yes, just open the macros.conf from the app's default/local directory and you should see this macro definition

0 Karma

SplunkTrust
SplunkTrust

Control Shift E will expand macros, as documented here , in newer Splunk versions

0 Karma

Path Finder

Thanks Nair for your reply.

There is not sourcetype=top , so could not get any result.

0 Karma

SplunkTrust
SplunkTrust

@bsaujla131984 ,

Have you enabled the input for top in your inputs.conf ?

0 Karma