`mongotop`¶

On this page

Mac OSX Sierra and Go 1.6 Incompatibility

Users running on Mac OSX Sierra require the 3.2.10 or newer version of mongotop.

Synopsis¶

mongotop provides a method to track the amount of time a MongoDB instance spends reading and writing data. mongotop provides statistics on a per-collection level. By default, mongotop returns values every second.

Run mongotop from the system command line, not the mongo shell.

Required Access¶

In order to connect to a mongod that enforces authorization with the --auth option, you must use the --username and --password options, and the connecting user must have the serverStatus and top privileges.

The most appropriate built-in role that has these privileges is clusterMonitor.

Options¶

mongotop¶

mongotop¶

--help¶: Returns information on the options and use of mongotop.

--verbose, -v¶: Increases the amount of internal reporting returned on standard output or in log files. Increase the verbosity with the -v form by including the option multiple times, (e.g. -vvvvv.)

--quiet¶

Runs mongotop in a quiet mode that attempts to limit the amount of output.

This option suppresses:

output from database commands
replication activity
connection accepted events
connection closed events

--version¶: Returns the mongotop release number.

--host <hostname><:port>, -h <hostname><:port>¶

Default: localhost:27017

Specifies a resolvable hostname for the mongod to which to connect. By default, the mongotop attempts to connect to a MongoDB instance running on the localhost on port number 27017.

To connect to a replica set, specify the replSetName and a seed list of set members, as in the following:

<replSetName>/<hostname1><:port>,<hostname2><:port>,<...>

You can always connect directly to a single MongoDB instance by specifying the host and port number directly.

Changed in version 3.0.0: If you use IPv6 and use the <address>:<port> format, you must enclose the portion of an address and port combination in brackets (e.g. [<address>]).

If connected to a replica set where the primary is not reachable, mongotop returns an error message.

--port <port>¶

Default: 27017

Specifies the TCP port on which the MongoDB instance listens for client connections.

--ipv6¶

Removed in version 3.0.

Enables IPv6 support and allows mongotop to connect to the MongoDB instance using an IPv6 network. Prior to MongoDB 3.0, you had to specify --ipv6 to use IPv6. In MongoDB 3.0 and later, IPv6 is always enabled.

--ssl¶: New in version 2.6.

Enables connection to a mongod or mongos that has TLS/SSL support enabled.

Changed in version 3.0: Most MongoDB distributions include support for TLS/SSL. See Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients for more information about TLS/SSL and MongoDB.

Changed in version 3.4: If --sslCAFile is not specified when connecting to an TLS/SSL-enabled server, the system-wide CA certificate store will be used.

--sslCAFile <filename>¶: New in version 2.6.

Specifies the .pem file that contains the root certificate chain from the Certificate Authority. Specify the file name of the .pem file using relative or absolute paths.

Changed in version 3.0: Most MongoDB distributions include support for TLS/SSL. See Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients for more information about TLS/SSL and MongoDB.

Changed in version 3.4: If --sslCAFile is not specified when connecting to an TLS/SSL-enabled server, the system-wide CA certificate store will be used.

Warning

Version 3.2 and earlier: For SSL connections (--ssl) to mongod and mongos, if the mongotop runs without the --sslCAFile, mongotop will not attempt to validate the server certificates. This creates a vulnerability to expired mongod and mongos certificates as well as to foreign processes posing as valid mongod or mongos instances. Ensure that you always specify the CA file to validate the server certificates in cases where intrusion is a possibility.

--sslPEMKeyFile <filename>¶

New in version 2.6.

Specifies the .pem file that contains both the TLS/SSL certificate and key. Specify the file name of the .pem file using relative or absolute paths.

This option is required when using the --ssl option to connect to a mongod or mongos that has CAFile enabled without allowConnectionsWithoutCertificates.

Changed in version 3.0: Most MongoDB distributions include support for TLS/SSL. See Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients for more information about TLS/SSL and MongoDB.

Changed in version 3.4: If --sslCAFile is not specified when connecting to an TLS/SSL-enabled server, the system-wide CA certificate store will be used.

--sslPEMKeyPassword <value>¶

New in version 2.6.

Specifies the password to de-crypt the certificate-key file (i.e. --sslPEMKeyFile). Use the --sslPEMKeyPassword option only if the certificate-key file is encrypted. In all cases, the mongotop will redact the password from all logging and reporting output.

If the private key in the PEM file is encrypted and you do not specify the --sslPEMKeyPassword option, the mongotop will prompt for a passphrase. See SSL Certificate Passphrase.

Changed in version 3.0: Most MongoDB distributions include support for TLS/SSL. See Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients for more information about TLS/SSL and MongoDB.

Changed in version 3.4: If --sslCAFile is not specified when connecting to an TLS/SSL-enabled server, the system-wide CA certificate store will be used.

--sslCRLFile <filename>¶: New in version 2.6.

Specifies the .pem file that contains the Certificate Revocation List. Specify the file name of the .pem file using relative or absolute paths.

Changed in version 3.0: Most MongoDB distributions include support for TLS/SSL. See Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients for more information about TLS/SSL and MongoDB.

Changed in version 3.4: If --sslCAFile is not specified when connecting to an TLS/SSL-enabled server, the system-wide CA certificate store will be used.

--sslAllowInvalidCertificates¶: New in version 2.6.

Bypasses the validation checks for server certificates and allows the use of invalid certificates. When using the allowInvalidCertificates setting, MongoDB logs as a warning the use of the invalid certificate.

Changed in version 3.0: Most MongoDB distributions include support for TLS/SSL. See Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients for more information about TLS/SSL and MongoDB.

Changed in version 3.4: If --sslCAFile is not specified when connecting to an TLS/SSL-enabled server, the system-wide CA certificate store will be used.

--sslAllowInvalidHostnames¶: New in version 3.0.

Disables the validation of the hostnames in TLS/SSL certificates. Allows mongotop to connect to MongoDB instances even if the hostname in their certificates do not match the specified hostname.

Changed in version 3.0: Most MongoDB distributions include support for TLS/SSL. See Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients for more information about TLS/SSL and MongoDB.

Changed in version 3.4: If --sslCAFile is not specified when connecting to an TLS/SSL-enabled server, the system-wide CA certificate store will be used.

--sslFIPSMode¶: New in version 2.6.

Directs the mongotop to use the FIPS mode of the installed OpenSSL library. Your system must have a FIPS compliant OpenSSL library to use the --sslFIPSMode option.

Note

FIPS-compatible SSL is available only in MongoDB Enterprise. See Configure MongoDB for FIPS for more information.

--username <username>, -u <username>¶: Specifies a username with which to authenticate to a MongoDB database that uses authentication. Use in conjunction with the --password and --authenticationDatabase options.

--password <password>, -p <password>¶: Specifies a password with which to authenticate to a MongoDB database that uses authentication. Use in conjunction with the --username and --authenticationDatabase options.

Changed in version 3.0.0: If you do not specify an argument for --password, mongotop returns an error.

Changed in version 3.0.2: If you wish mongotop to prompt the user for the password, pass the --username option without --password or specify an empty string as the --password value, as in --password "" .

--authenticationDatabase <dbname>¶: Specifies the database in which the user is created. See Authentication Database.

Changed in version 3.0.0: --authenticationDatabase is required for mongod and mongos instances that use Authentication.

--authenticationMechanism <name>¶

Default: SCRAM-SHA-1

Changed in version 2.6: Added support for the PLAIN and MONGODB-X509 authentication mechanisms.

Changed in version 3.0: Added support for the SCRAM-SHA-1 authentication mechanism. Changed default mechanism to SCRAM-SHA-1.

Specifies the authentication mechanism the mongotop instance uses to authenticate to the mongod or mongos.

Value	Description
SCRAM-SHA-1	RFC 5802 standard Salted Challenge Response Authentication Mechanism using the SHA1 hash function.
MONGODB-CR	MongoDB challenge/response authentication.
MONGODB-X509	MongoDB TLS/SSL certificate authentication.
GSSAPI (Kerberos)	External authentication using Kerberos. This mechanism is available only in MongoDB Enterprise.
PLAIN (LDAP SASL)	External authentication using LDAP. You can also use `PLAIN` for authenticating in-database users. `PLAIN` transmits passwords in plain text. This mechanism is available only in MongoDB Enterprise.

--gssapiServiceName¶

New in version 2.6.

Specify the name of the service using GSSAPI/Kerberos. Only required if the service does not use the default name of mongodb.

This option is available only in MongoDB Enterprise.

--gssapiHostName¶

New in version 2.6.

Specify the hostname of a service using GSSAPI/Kerberos. Only required if the hostname of a machine does not match the hostname resolved by DNS.

This option is available only in MongoDB Enterprise.

--locks¶

Toggles the mode of mongotop to report on use of per-database locks. This data is only available when connected to a MongoDB 2.6 or older instance.

--locks returns an error when called against a mongod 3.0 or newer instance that does not report per-database lock usage.

--rowcount int, -n int¶: Number of lines of data that mongotop should print. “0 for indefinite”

--json¶: New in version 3.0.0.

Returns output for mongotop in JSON format.

<sleeptime>¶: The final argument is the length of time, in seconds, that mongotop waits in between calls. By default mongotop returns data every second.

Fields¶

mongotop returns time values specified in milliseconds (ms.)

mongotop only reports active namespaces or databases, depending on the --locks option. If you don’t see a database or collection, it has received no recent activity. You can issue a simple operation in the mongo shell to generate activity to affect the output of mongotop.

mongotop.ns¶

Contains the database namespace, which combines the database name and collection.

If you use the mongotop --locks, the ns field does not appear in the mongotop output.

mongotop.db¶

Contains the name of the database. The database named . refers to the global lock, rather than a specific database.

This field does not appear unless you have invoked mongotop with the --locks option.

mongotop.total¶: Provides the total amount of time that this mongod spent operating on this namespace.

mongotop.read¶: Provides the amount of time that this mongod spent performing read operations on this namespace.

mongotop.write¶: Provides the amount of time that this mongod spent performing write operations on this namespace.

mongotop.<timestamp>¶: Provides a time stamp for the returned data.

Use¶

By default mongotop connects to the MongoDB instance running on the localhost port 27017. However, mongotop can optionally connect to remote mongod instances. See the mongotop options for more information.

To force mongotop to return less frequently specify a number, in seconds at the end of the command. In this example, mongotop will return every 15 seconds.

mongotop 15

This command produces the following output:

                     ns    total    read    write          2014-12-19T15:32:01-05:00
     admin.system.roles      0ms     0ms      0ms
   admin.system.version      0ms     0ms      0ms
               local.me      0ms     0ms      0ms
         local.oplog.rs      0ms     0ms      0ms
 local.replset.minvalid      0ms     0ms      0ms
      local.startup_log      0ms     0ms      0ms
   local.system.indexes      0ms     0ms      0ms
local.system.namespaces      0ms     0ms      0ms
   local.system.replset      0ms     0ms      0ms

                     ns    total    read    write          2014-12-19T15:47:01-05:00
     admin.system.roles      0ms     0ms      0ms
   admin.system.version      0ms     0ms      0ms
               local.me      0ms     0ms      0ms
         local.oplog.rs      0ms     0ms      0ms
 local.replset.minvalid      0ms     0ms      0ms
      local.startup_log      0ms     0ms      0ms
   local.system.indexes      0ms     0ms      0ms
local.system.namespaces      0ms     0ms      0ms
   local.system.replset      0ms     0ms      0ms

The output varies depending on your MongoDB setup. For example, local.system.indexes and local.system.namespaces only appear for mongod instances using the MMAPv1 storage engine.

To return a mongotop report every 5 minutes, use the following command:

mongotop 300

← mongostat mongoperf →

mongotop¶

Synopsis¶

Required Access¶

Options¶

Fields¶

Use¶

`mongotop`¶