Truncating Aggregations
You can use the trunc
() function to manipulate the aggregation results. For example, you can display only the top results, or discard an entire aggregation result, and so on.
The parameters to trunc
are an aggregation and an optional truncation value. Without the truncation value, trunc
discards both aggregation values and aggregation keys for the entire aggregation. When a truncation value n is present, trunc
discards aggregation values and keys except for those values and keys associated with the highest n values. That is, trunc(@foo, 10)
truncates the aggregation named foo
after the top ten values, where trunc(@foo)
discards the entire aggregation. The entire aggregation is also discarded if 0
is specified as the truncation value.
To see the bottom n values instead of the top n, specify a negative truncation value to trunc
. For example, trunc(@foo, -10)
truncates the aggregation named foo
after the bottom ten values.
The following example augments the system call example to only display the per-second system call rates of the top ten system-calling applications in a ten-second period.
Example 3-5 Truncating an Aggregation
#pragma D option quiet BEGIN { last = timestamp; } syscall:::entry { @func[execname] = count(); } tick-10sec { trunc(@func, 10); normalize(@func, (timestamp - last) / 1000000000); printa(@func); clear(@func); last = timestamp; }
The following example shows output from running the preceding script on a lightly loaded laptop:
FvwmAuto 7 telnet 13 ping 14 dtrace 27 xclock 34 MozillaFirebird- 63 xterm 133 fvwm2 146 acroread 168 Xsun 616 telnet 4 FvwmAuto 5 ping 14 dtrace 27 xclock 35 fvwm2 69 xterm 70 acroread 164 MozillaFirebird- 491 Xsun 1287