Re: Command Line Filter of processes

MrSampsonite · ‎12-28-2011

In the help documents for "command line filter" for processes it says the following:

Command Line Filter
This optional field allows you to select which instances of a process you want to monitor, based on the command line arguments of the process. This is a simple text match, and partial matches are also valid.

Example to monitor only instances launched with –myOption=NorthAmerica
Command Line Filter: –myOption=NorthAmerica

Example to monitor any instances launched with America in any argument
Command Line Filter: America

My question is this: can we apply other filter options like regexes? I need to detect processes where one has this in the command line: "clean_references" and the other has "clean_references_by_version". I can easily filter out for the second but if I filter out for the first it will also include the 2nd which doesn't help distinguish. I need something like "match exact string" or something of the sort.

jovazque · ‎09-24-2019

In regards to this:

In the help documents for "command line filter" for processes it says the following:

Command Line Filter
This optional field allows you to select which instances of a process you want to monitor, based on the command line arguments of the process. This is a simple text match, and partial matches are also valid.

Example to monitor only instances launched with –myOption=NorthAmerica
Command Line Filter: –myOption=NorthAmerica

Example to monitor any instances launched with America in any argument
Command Line Filter: America

What would be the correct filter needed to grab 1 of the 8 java instances that are running on this box? I have the PID of the exact instance I want, but whenever I add the monitor it is grabbing al 8 instances and I need to only see 1.

bobross · ‎12-30-2011

I had some downtime at work tonight and decided to take a swing at this.

Component: WMI Monitor

WQL Query:

Select WorkingSetSize
From Win32_Process
Where Commandline LIKE "%AntiVirus%" AND NOT Commandline LIKE "%DefWatch%"

Convert Value > Custom Formula:

${Statistic}/1024

Test Processes:

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

It tests in this setup to find the correct data for Rtvscan.exe when compared to the memory data in Task Manager. If you replace "AntiVirus" with "clean_references" and "DefWatch" with "by_version" you should get the proper results. I'd definitely double check though before going live with the monitor.

I added in a statistic transform to convert the data from WorkingSetSize from bytes to kilobytes, so the data is easy to verify with Task Manager. I'm not sure if APM prior to 4.2 will allow for conversions or not.

If it doesn't work as is, it should definitely put you on the right track.

krishnamishra0786 · ‎08-18-2017

Anyone have idea about this feature is working on any SAM version.

thanks

bobross · ‎12-30-2011

Sorry, I misunderstood that this was for a Windows system. The above will only work on a *nix box.

It is still doable on Windows using a custom script, but I don't have anything readily available that I can share with you for this.

You would need to pull the WMI information from Win32_Process and Win32_PerfFormattedData_PerfProc_Process. If you just want up/down then you won't need to worry about PerfFormattedData because you'll only need that for CPU and possibly memory utilization.

Alternatively, you could use the WMI Monitor with a hard-coded WQL Query. I have 0 experience with WQL myself, but from a glance it looks like it could be used to grab the data you are looking for.

Sorry I can't be of more help on Windows. Usually when I'm tasked with creating a custom monitor on Windows it turns into a 2 day affair of desk slamming and hair pulling.

MrSampsonite · ‎12-30-2011

Thanks. I need to track memory utilization. I'll have to find some time to learn this stuff. Thanks anyway.

bobross · ‎12-28-2011

You can easily write a custom script to pull the data that you are looking for. Especially if you are polling against a Linux box... just use the back tick ` operator to ps -ef and grep. If you set it up right you can input a regex into the command line for reuse later.

If you do it this way just be sure to also grep -v for 'grep' so the calling process doesn't show up in the results. If you included the search string in the Perl command line you'll also need to grep -v for 'perl'.

As an added bonus, you can then customize the statistical value that is returned (CPU, Memory, Time, etc.).

On a Windows box it is a tad bit more complicated, but it should still be doable - I'm not 100% on grabbing command line switches for Windows processes though as I haven't done that specifically myself.

MrSampsonite · ‎12-30-2011

hi. unfortunately I'm a windows guy with no experience doing what you're suggesting. if you come up with something that'd be great to know. thanks!

bobross · ‎12-30-2011

You can give this a try. We use this to just check for the existence of a process. I've never tried it with a regex as the search string, but there it should work just fine with any regex that will work for grep.

#!/usr/bin/perl

use strict;
use warnings;

my $search = $ARGV[0];

my $process = `ps -ef |egrep -v 'grep|perl' | grep $search`;

if  ($? == 0))
{
     print "Message: $process & $?\n";
     print "Statistic: 0";
}
else
{
     print "Message: Process Not Found - Status: $?\n";
     print "Statistic: 1";
     exit(1);
}

Command Line:

perl ${SCRIPT} 'searchstring'

I'd suggest trying 'clean_references$' as the searchstring. This SHOULD give the proper response. Unfortunately, I don't have anything that I can actually test on right now. If you have access to a Unix admin that can SSH into the server and run:



 ps -ef |egrep -v 'grep|perl' | grep 'clean_references$'

From the terminal you'll be able to see what you get for responses. Pulling process data for memory/cpu/etc. gets a little more involved, but the above should get you a basic up/down monitor.

Hope this helps. With any luck, the feature request will be completed almost as soon as you get a custom script working for it... Thats usually how it works for me 😉

MrSampsonite · ‎12-30-2011

Does that work in Windows? I have never used perl in Windows or linux. The command line filter is for windows processes unfortunately.

aLTeReGo · ‎12-28-2011

APM doesn't support Regex pattern matching for processes, but I have logged this as a feature request. We're tracking it internally as FB97476.

krishnamishra0786 · ‎08-18-2017

Hi,

still we are in queue to get the feature or it is working on any SAM version.

kindly revert.

marunderwood · ‎06-17-2013

Was this ever added? I'm running into the same issue.

aLTeReGo · ‎06-17-2013

This is still being tracked internally but has not yet been implemented.

marunderwood · ‎06-18-2013

Seems like a simple request. Do you have an idea on how you might implement it? Perhaps if double quotes are put around text (or an equal sign at the beginning), then an exact match would be used. Otherwise, it would work as is. Thanks for the feedback.

MrSampsonite · ‎12-30-2011

thanks. is there any way for customers to get status updates for a feature request?