I am trying to build a dashboard for listing of 5 top unix processes by CPU by using macro Top5CPUProcessesby_Host(*) as listed in following link:-
Can someone please guide me how to use this macro search?
First make sure you deploy the Splunk Add-on for Unix and Linux on the servers you are trying to monitor (universal forwarders). By doing this, you will be receiving data from these servers as mentioned on the add-on documentation.
This add-on will populate the index and sourcetypes needed so you can run search queries against it to build reports/dashboards, and populate data for the App.
You can directly call this macro in your search/dashboard provided the dashboard has access to this macro - in other terms, share this macro with the app where you are creating the dashboard,
Try executing this macro in your search bar with " `Top5CPUProcessesby_Host(*) ` " . Make sure that you have the backticks (`) while calling the macro
Alternatively, you can use the search which is used behind this macro
index=os sourcetype=top host=* | stats max(pctCPU) as maxCPU by host, COMMAND, _time | sort -maxCPU | dedup 5 host
Change the index if you are using other index than