Re: Beginner Question ! - reporting ps output

ritemple · ‎01-30-2011

I have setup a splunk server and one lightforwarder client. This is configured to send the output of ps every 30 seconds to the server.

On our applications servers, I can easily count the number of connected users with the output of "ps -ef | grep | wc -l". I'd like to be able to use splunk to report this information, something like a report we run weekly (or is generated) showing the maximum number of connections on each day to the server(s).

I'm guessing it's a basic question, but any help getting started with this is appreciated !

Richard

David · ‎01-30-2011

I believe multikv will be your road to success. Here is a blog post dedicated specifically to grabbing ps output in splunk: http://blogs.splunk.com/2007/08/23/ripping-mulitline-events-at-seach-time/

I think what you'll end up wanting to do is something like the following:

YourPSSearch | multikv filter CriteriaToIdentifyUserSessions | stats count as NumberOfConnectedUsers

Or alternatively, if the filter clause isn't quite powerful enough, you could run a second search afterward. I'd imagine this is slower, though:

YourPSSearch | multikv | search CriteriaToIdentifyUserSessions | stats count as NumberOfConnectedUsers

Hopefully that should get you close to where you want to be.

Beginner Question ! - reporting ps output

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Data Management Digest – May 2026

Join the Conversation