Unix Top Command Explanation With Examples

top‘ command helps you to find out most of the system related stuff which an Unix user needs to know about the system.

It will help you to diagnose any system related issue and you can correct the configuration if needed based on the resultstop - the unix command The top program provides a dynamic real-time view of a running system. It can display system summary information as well as a list of tasks currently being managed by the Linux kernel.
Different System summary information are shown and all the information displayed for the tasks are all user configurable and that configuration can be saved and retained across restarts.

In short you can see the results of all the system related commands like “free, ps,  vmstat , who, w and uptime” just by typing one command, i.e. top

Type “top” command on your unix/linux console and it will display all the system’s information like cpu, memory, swap, running tasks of each process–all in a single view. Press ‘q‘ to quit/return.

When you start top for the first time, you be presented with the traditional screen elements:
1) Summary Area   2) Message/Prompt Line    3) Columns Header    4) Task Area.

To understand the top command’s output, let’s go line by line.

top unix command example

The first line shows :

Current System Time along with the information since when the system is UP and running.

Number of Users who logged in currently to the system.

Load Average on the System at default 1, 5 and 15 minutes interval.

The second line shows Process statistics in below format:

Number of Tasks currently assigned to the system

Running : Tasks which are currently running on the system.

Sleeping: Tasks which are not active, processes which are blocked as they are waiting for an event e.g. sleep(), time out or I/O completion.

Stopped : It simply means that the process is “paused,” but not “terminated.” The most common source of STOP signals is the user hitting ^z while the process is in the foreground. A stopped process will not terminate due to a TERM signal until it is continued. It will terminate as soon as it receives a KILL signal even the process is stopped.

Zombie : A zombie process is a finished/died process, it isn’t all removed from memory immediately but it has still occupied an entry in the process table. Usually, a child process that has finished its execution sends a SIGCHLD signal to the parent process which has created it. Then the parent process sends a wait() system call through which it can read the child’s exit status. After receiving the wait system call, the child’s entry will get removed from the process table. But in some cases, parent process may ignore the SIGCHLD signal which actually causes the completed process to still exist in the process table and that makes it a zombie process. Sometimes this is desirable for the parent process to ensure that it doesn’t allocate the same PID to another child. When a process becomes dead, it just frees up the memory and other resources allocated to it, that means a zombie process will not be using any resources at all, other than an entry in the process table. However, if zombies are created at a high rate, the entire available PIDs pool will get filled with zombie processes that will prevent other processes from launching.

The third line shows CPU information in below format :

us:  Percentage (%) of  CPU time spent in user mode
sy:  Percentage (%) of CPU time spent in kernel mode

Basically there are two modes, user and kernal mode, %us represents the percentage of time spent on user processes, but when those processes acquires Kernel layer for some tasks such as reading or writing to the hard disk or allocating several kilobytes of RAM then it known as system calls.

ni:  Percentage (%) of CPU time spent on low priority processes
id:  Percentage (%) of  CPU time spent idle
wa: Percentage (%) of  CPU time spent in wait (on disk)
hi:  Percentage (%) of  CPU time spent servicing/handling hardware interrupts (hardware irq)
si:  Percentage (%) of  CPU time spent servicing/handling software interrupts (software irq)
st:  Percentage (%) of  CPU time in involuntary wait by virtual cpu while hypervisor is servicing another processor (or) % CPU time stolen from a virtual machine

hi represents the time spent processing hardware interrupts. Hardware interrupts are generated by hardware devices when they need to send a signal to the CPU.

Whenever a long or complex processing is required, these tasks are deferred using a mechanism call softirqs. These are scheduled independently, can run on any CPU, can even run concurrently. Softirqs are statically allocated at compile-time

si represents the time spent in these softirqs.

Next 2 lines shows memory details.

The fourth line shows Physical Memory information and fifth line shows Swap Memory information :

Both the lines provides you the snapshot of memory being used by various processes.

Mem : represents the actual memory (RAM) that is mappable by your unix/linux kernel.  It is not just used of user related data but also used for the kernel data as well. Kernal permanently reserves a small chunk of memory for itself to use it at startup which is hidden to the user.

Swap is used when the amount of physical memory (RAM) is full, when the RAM gets full and system needs more memory resources, the kernal moves the inactive pages in memory to the swap space. Swap space is created on hard drives, which have a slower access time compare than physical memory.

Following terms are used for both Physical and Swap memories, so we can get the meaning like below –

Total : Total Memory available in your system.

Used : Memory which is being consumed by the system

Free : Free Memory for the system.

where Memory denotes Physical Or Swap memory respectively

The below terms are little mystifying, someone takes a wrong assumption that Cache is only for Swap memory because its placed inside Swap line.

Actually the simple logic for memory is :

Total = Used + Free
Used = buffers+cached

Buffers : It is the size of in-memory block I/O buffers, they are relatively exists for short span of time. When a kernel accessing the disk to access file or block device it increases the buffer size.

Cached : Cached is the size of the Linux page cache, excluding the memory in the swap cache, which is represented by SwapCached (hence the total page cache size is Cached + SwapCached)
The cached represents the size of RAM used to cache the content of files being read recently.

For example , whenever you perform read operation of  file on disk, the data gets loaded and read into memory, then it goes into the page cache.
Once the read operation completes, the kernel will remains with 2 options. First is just simply throw the page away since it is not being used and second is to cache it for future operations.
So when you do another read of the same area in a file, the data will be read directly out of memory and no trip to the disk will be taken as its being loaded from the page cache.

How cached is different from Buffers ? :- Buffers size increases when system accessing the page whereas Cached size increase when system accessed the page and going back.

Reading a file from Cache is relatively fast compare to a fresh start.

Now coming to the Processes Statistics. “top” provides you below details for the processes :

PID : Process ID of the process, every process has unique process ID .

USER : Its a user name for the owner of each process.

PR : The priority of the task, RT denotes a Real Time priority class which is used for system processes. PR is the actual priority of the process as viewed by the Linux kernel.
Kernel simply sets the priority +20 from the nice value for normal processes, that means the highest priority nice value receives a kernel priority of 0. Sometime you may see the difference in nice value and PR as the process scheduler applies a small gratuity or penalty to interactive or processor-hogging tasks as kernel can dynamically change the user PR depending on how interactive the process is.

NI : The nice value of the task. A negative nice value means higher priority, whereas a positive nice value means lower priority.
Every new process has a nice level 0, but you can override it with the “nice” utility. NI ranges from -20 to 19.

VIRT:  It is the amount of virtual memory used by a process. It refers to the length of memory area. It includes all code, data and shared libraries plus pages that have been swapped out.
VIRT represents how much memory the program is able to access at the present moment and it doesn’t mean that this process actually uses that amount of memory. Its a combination of both Physical and Swap memory allocated to the process.

RES : Its a resident size, which represents non-swapped physical memory a task is using, It tells you how many memory blocks (known as pages) are really allocated and mapped to process address space. Undoubtedly this will be virtually always be less than the VIRT size.

SHR : The amount of shared memory used by a task. It simply reflects memory that could be potentially shared with other processes. SHR indicates how much of the VIRT size is actually sharable (memory or libraries).

An actual memory consumption of a process can be calculated RES minus SHR depending on how many shared libraries are used by any given process and other processes using those same libraries.

S : Represents Process Status
The status of the task which can be one of:
‘D’ = uninterpretable sleep
‘R’ = running
‘S’ = sleeping
‘T’ = traced or stopped
‘Z’ = zombie

** Tasks shown as running should be more properly thought of as ‘ready to run’ — their task_struct is simply represented on the Linux run-queue. Even without a true SMP machine, you may see numerous tasks in this state depending on top’s delay interval and nice value.

%CPU : Represents percentage of the time shares CPU spends running the process. By default top output is sorted with CPU usage.

%MEM : Represents percentage of the physical memory of the system which is used by the process.

Please refer above explanations for CPU and MEM stats.

TIME+ : Its a total time CPU(s) spent running the process

COMMAND : Its a command used to initiate the process.


TOP Command Example with Shortcuts


You can use below shortcuts to use “top” command more efficiently.

Set ‘Screen Refresh Interval’ [delay in top output] in Top
d or s –To change the time interval for updating top results  (value is in sec’s)


Show/Hide lines
If you don’t want to see all information, you can hide the information by using below shortcuts :
l –To display or to hide load average line
t –To display or to hide task/cpu line
m –To display or to hide RAM and SWAP details
1 –– To display or hide all other CPU’s, like


Display Specific User Process
You can run the top command with option -u to show the user specific processes only or you could use shortcut in “top” window

top -u root

u — Press u then username to get only that user process details


Sorting the output
By default top output is sorted with CPU usage. You can change the order with below shortcuts :
P –To sort by CPU utilization
M –To sort by RAM utilization
R –To sort by PID number, like


Kill running process
k –To kill a process, press k then PID number then enter to kill a process


Highlight Running Process in Top
z – press ‘z‘ option to display running process in color which may help you to identified running process easily.

top-running process-in-color

Renice a Process
r –To renice a process, press r then the PID no then the renice value to renice a process.


Shows absolute path of the processes
c –To display or hide command full path


Sorting the top output via field letter
O – Press (Shift+O) to Sort field via field letter, for example press ‘a‘ letter to sort process with PID (Process ID)


Press ‘W‘ to save your work for next time.
Press ‘q‘ to quit exit the window.

I hope you liked the explanation of  “top” command. So lets start using this command in our day to day activities to get rid of all process related issues.

3 thoughts on “Unix Top Command Explanation With Examples”

  1. Really a good article. Can you please explain utilization of top command with scenario wise with some examples i.e using it for specific purposes ?

Leave a Comment

Your email address will not be published. Required fields are marked *