Hi,

I am think there is a simple solution to this but I am not having much luck finding it.

I have a portion of the 'top' command comming in via a script from an AIX server. Splunk sees the message like this:

USER       PID %CPU %MEM   SZ  RSS    TTY STAT    STIME  TIME COMMAND
user1       516 88.0  0.0   12   12      - A      Oct 28 78400:06 wait
user1     16420  0.4  1.0 14676 5744      - A      Oct 28 337:26 /opt/pdos/bin/p
user1     32472  0.3  1.0 7868 7872      - A      Dec 17 51:56 /home/s/sys/swatc
user1     20646  0.3  0.0 4424 2208      - A      Oct 28 251:52 /opt/pdos/bin/pd
user1      4958  0.3  0.0  496  316      - A      Oct 28 231:41 /usr/sbin/syncd 
user2     30476  0.2  1.0 8768 8736      - A      Dec 17 31:00 /home/s/sys/buls 
user2     15410  0.2  0.0 12012 1388      - A      Oct 28 139:11 /usr/bin/xmwlm 
user2     11616  0.2  0.0  840  388      - A      Oct 28 164:40 /usr/sbin/muxatm
user2      3456  0.2  0.0 1380  216      - A      Oct 28 142:01 dtgreet 
user2     31764  0.1  0.0 1880 1456      - A      Dec 17 20:47 /home/s/sys/rtpdc

This is good but I would like to extract fields on a per-line basis. For example, I would like to extract the %CPU and %MEM fields relative to the particular command in the COMMAND field. The ultimate goal of course is to chart TOP CPU and Memory usage processes with something like this:

source=top host=HOST |timechart max(percentCPU) by CommandName

I know the *nix application that comes with Splunk has pre-defined fields for this type of information but I am wanting to perform this on AIX servers which *nix does not support.

Thank you for any input you can provide.

Alex