3.3.2 Using Keys

You can count system calls per process name by specifying the execname variable as the key to an aggregation and saving it in a file named writesbycmd.d:

syscall::write:entry
{
  @counts[execname] = count();
}

The following example output shows the result of running this command, waiting a few seconds, and then pressing Ctrl-C:

# dtrace -s writesbycmd.d
dtrace: script 'writesbycmd.d' matched 1 probe
^C
  dirname                                                           1
  dtrace                                                            1
  gnome-panel                                                       1
  mozilla-xremote                                                   1
  ps                                                                1
  avahi-daemon                                                      2
  basename                                                          2
  gconfd-2                                                          2
  java                                                              2
  master                                                            2
  pickup                                                            2
  qmgr                                                              2
  sed                                                               2
  dbus-daemon                                                       3
  rtkit-daemon                                                      3
  uname                                                             3
  w                                                                 5
  bash                                                              9
  cat                                                               9
  gnome-session                                                     9
  Xorg                                                             21
  firefox                                                         149
  gnome-terminal                                                 9421
#

Alternatively, you might want to further examine writes that are organized by both executable name and file descriptor. The file descriptor is the first argument to write(). The following example uses a key that is a tuple, which consists of both execname and arg0:

syscall::write:entry
{
  @counts[execname, arg0] = count();
}

Running this command results in a table with both executable name and file descriptor, as shown in the following example:

# dtrace -s writesbycmdfd.d
dtrace: script 'writesbycmdfd.d' matched 1 probe
^C

  basename                                                  1        1
  dbus-daemon                                              70        1
  dircolors                                                 1        1
  dtrace                                                    1        1
  gnome-panel                                              35        1
  gnome-terminal                                           16        1
  gnome-terminal                                           18        1
  init                                                      4        1
  master                                                   89        1
  ps                                                        1        1
  pulseaudio                                               20        1
  tput                                                      1        1
  Xorg                                                      2        2
#

A limited set of actions can be used as aggregation keys. Consider the following use of the mod() and stack() actions:

profile-10
{
  @hotmod[mod(arg0)] = count();
  @hotstack[stack()] = count();
}

Here, the hotmod aggregation counts probe firings by module, using the profile probe's arg0 to determine the kernel program counter. The hotstack aggregation counts probe firings by stack. The aggregation output reveals which modules and kernel call stacks are the hottest.