Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- sourcetype=splunk_resource_usage component=PerProcess
- | eval process = 'data.process'
- | eval args = 'data.args'
- | eval sid = 'data.search_props.sid'
- | eval process_class = case( process=="mongod","KV store", process=="splunk-optimize","index service", process=="sh" OR process=="ksh" OR process=="bash" OR like(process,"python%") OR process=="powershell","scripted input")
- | eval process_class = case( process=="splunkd" AND ((like(args,"-p %start%") AND NOT like(args,"%process-runner%")) OR args=="service"),"splunkd server", process=="splunkd" AND isnotnull(sid),"search", process=="splunkd" AND (like(args,"fsck%") OR like(args,"recover-metadata%") OR like(args,"cluster_thing")),"index service", process=="splunkd" AND args=="instrument-resource-usage", "scripted input", (like(process,"python%") AND like(args,"%/appserver/mrsparkle/root.py%")) OR like(process,"splunkweb"),"Splunk Web", isnotnull(process_class), process_class)
- | eval process_class = if(isnull(process_class),"other",process_class)
- | search process_class=search
- | stats latest(data.mem_used) as memoryused by data.pid,data.search_props.sid,data.search_props.type
- | sort -memoryused
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
