I didn’t like the CPU input from the Splunk TA Nix app, so I created this small ingest from top. The script takes a snapshot of the top command, and looks directly at the header:

top -b -n 1 | sed -n '1,5p'

and comes back with the first 5 lines of Top:

top - 15:20:55 up 26 days, 9:53, 1 user, load average: 0.89, 0.59, 0.48
 Tasks: 125 total, 1 running, 124 sleeping, 0 stopped, 0 zombie
 Cpu(s): 3.5%us, 0.7%sy, 0.0%ni, 95.7%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st
 Mem: 8059752k total, 4138600k used, 3921152k free, 759256k buffers
 Swap: 2097148k total, 96532k used, 2000616k free, 2228520k cached

and the following query pulls CPU load average data

index=os sourcetype=top_header host=* |timechart span=1m values(load_1minavg) values(load_5minavg) values(load_15minavg) by host

while the following query pulls the memory data

index=os sourcetype=top_header host=* | eval percentUsed=mem_used/mem_total*100 | gauge percentUsed by host