Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit ps.sh to limit process getting in ingest for Splunk Add-on for Unix and Linux

tgmvt03
Engager
‎08-21-2018 01:01 PM

Hello,
I'm trying to only get a certain server processes to ingest to splunk index using Splunk Add-on for Unix and Linux script by editing the ps.sh script by adding grep command in there. like below.
However i'm getting error like
ERROR: Unsupported option (BSD syntax)
or
ERROR: Garbage option.

edit:
CMD='ps auxww|grep nc'

Could someone please direct me to document how to add grep in or some guidance how to get this ps.sh script to works?

thank you

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎08-21-2018 08:44 PM

@tgmvt03 ,

Depending on your OS version, you could add the list of commands (process names) to be displayed using -C. Grep will remove the headers also which is used in final output

For e.g. for common Linux version, change the command

from

CMD='ps -wweo uname,pid,psr,pcpu,cputime,pmem,rsz,vsz,tty,s,etime,args'

to

CMD='ps -wwo uname,pid,psr,pcpu,cputime,pmem,rsz,vsz,tty,s,etime,args -C splunkd'

Two main differences :

  • Removed e from the command which is for selecting all processes.
  • Added -C with the command list - here for example splunkd

Have a look at ps man page

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎08-21-2018 08:44 PM

@tgmvt03 ,

Depending on your OS version, you could add the list of commands (process names) to be displayed using -C. Grep will remove the headers also which is used in final output

For e.g. for common Linux version, change the command

from

CMD='ps -wweo uname,pid,psr,pcpu,cputime,pmem,rsz,vsz,tty,s,etime,args'

to

CMD='ps -wwo uname,pid,psr,pcpu,cputime,pmem,rsz,vsz,tty,s,etime,args -C splunkd'

Two main differences :

  • Removed e from the command which is for selecting all processes.
  • Added -C with the command list - here for example splunkd

Have a look at ps man page

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...