Splunk ITSI
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Top 5 UNIX/Linux processes as per CPU

bsaujla131984
Path Finder
‎09-26-2018 04:55 PM

I am trying to build a dashboard for listing of 5 top unix processes by CPU by using macro Top_5_CPU_Processes_by_Host(*) as listed in following link:-

https://docs.splunk.com/Documentation/UnixApp/5.2.4/User/Savedsearches

Can someone please guide me how to use this macro search?

0 Karma
Reply

dedwards93
New Member
‎09-30-2018 10:31 AM

First make sure you deploy the Splunk Add-on for Unix and Linux on the servers you are trying to monitor (universal forwarders). By doing this, you will be receiving data from these servers as mentioned on the add-on documentation.

http://docs.splunk.com/Documentation/AddOns/released/UnixLinux/About

This add-on will populate the index and sourcetypes needed so you can run search queries against it to build reports/dashboards, and populate data for the App.

0 Karma
Reply

renjith_nair
Legend
‎09-26-2018 08:28 PM

@bsaujla131984 ,

You can directly call this macro in your search/dashboard provided the dashboard has access to this macro - in other terms, share this macro with the app where you are creating the dashboard,

Try executing this macro in your search bar with " `Top_5_CPU_Processes_by_Host(*) ` " . Make sure that you have the backticks (`) while calling the macro

Alternatively, you can use the search which is used behind this macro

index=os sourcetype=top host=* | stats max(pctCPU) as maxCPU by host, COMMAND, _time | sort -maxCPU | dedup 5 host

Change the index if you are using other index than os

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply

bsaujla131984
Path Finder
‎09-26-2018 08:49 PM

Also , where can we check commands running behind macros?

Thanks,

0 Karma
Reply

bsaujla131984
Path Finder
‎09-29-2018 06:00 PM

Hello Ranjith,

Is there a way I can check commands running behind Macros?

Thanks,

0 Karma
Reply

renjith_nair
Legend
‎10-01-2018 09:11 AM

Yes, just open the macros.conf from the app's default/local directory and you should see this macro definition

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply

gjanders
SplunkTrust
SplunkTrust
‎09-27-2018 04:01 PM

Control Shift E will expand macros, as documented here , in newer Splunk versions

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply

bsaujla131984
Path Finder
‎09-26-2018 08:42 PM

Thanks Nair for your reply.

There is not sourcetype=top , so could not get any result.

0 Karma
Reply

renjith_nair
Legend
‎09-28-2018 05:37 AM

@bsaujla131984 ,

Have you enabled the input for top in your inputs.conf ?

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...