Beginner Question ! - reporting ps output

ritemple · ‎01-30-2011

I have setup a splunk server and one lightforwarder client. This is configured to send the output of ps every 30 seconds to the server.

On our applications servers, I can easily count the number of connected users with the output of "ps -ef | grep | wc -l". I'd like to be able to use splunk to report this information, something like a report we run weekly (or is generated) showing the maximum number of connections on each day to the server(s).

I'm guessing it's a basic question, but any help getting started with this is appreciated !

Richard

David · ‎01-30-2011

I believe multikv will be your road to success. Here is a blog post dedicated specifically to grabbing ps output in splunk: http://blogs.splunk.com/2007/08/23/ripping-mulitline-events-at-seach-time/

I think what you'll end up wanting to do is something like the following:

YourPSSearch | multikv filter CriteriaToIdentifyUserSessions | stats count as NumberOfConnectedUsers

Or alternatively, if the filter clause isn't quite powerful enough, you could run a second search afterward. I'd imagine this is slower, though:

YourPSSearch | multikv | search CriteriaToIdentifyUserSessions | stats count as NumberOfConnectedUsers

Hopefully that should get you close to where you want to be.

Beginner Question ! - reporting ps output

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?