Docs Menu

Docs HomeMongoDB Database Tools

mongotop

On this page

  • Description
  • Compatibility
  • Installation
  • Syntax
  • Required Access
  • Behavior
  • Options
  • Fields
  • Examples
  • Additional Information

Description

mongotop provides a method to track the amount of time a MongoDB instance mongod spends reading and writing data. mongotop provides statistics on a per-collection level. By default, mongotop returns values every second.

Run mongotop from the system command line, not the mongo shell.

Versioning

Starting with MongoDB 4.4, mongotop is now released separately from the MongoDB Server and uses its own versioning, with an initial version of 100.0.0. Previously, mongotop was released alongside the MongoDB Server and used matching versioning.

For documentation on the MongoDB 4.2 or earlier versions of mongotop, reference the MongoDB Server Documentation for that version of the tool:

Note

Quick links to older documentation

This documentation is for version 100.9.0 of mongotop.

Compatibility

MongoDB Server Compatibility

mongotop version 100.9.0 supports the following versions of the MongoDB Server:

  • MongoDB 7.0

  • MongoDB 6.0

  • MongoDB 5.0

  • MongoDB 4.4

  • MongoDB 4.2

While mongotop may work on earlier versions of MongoDB server, any such compatibility is not guaranteed.

Platform Support

mongotop version 100.9.0 is supported on the following platforms:

x86_64
ARM64
PPC64LE
s390x
Amazon Linux 2023

Amazon 2

Amazon 2013.03+

Debian 10

Debian 9

Debian 8

RHEL / CentOS 9

RHEL / CentOS 8

RHEL / CentOS 7

RHEL / CentOS 6

SUSE 15

SUSE 12

Ubuntu 20.04

Ubuntu 18.04

Ubuntu 16.04

Windows 8 and later

Windows Server 2012 and later

macOS 11 and later

macOS 10.12 - 10.15

Installation

The mongotop tool is part of the MongoDB Database Tools package:

Follow the Database Tools Installation Guide to install mongotop.

Syntax

The mongotop command has the following form:

mongotop <options> <connection-string> <polling interval in seconds>

Run mongotop from the system command line, not the mongo shell.

Running mongotop without any command-line options will connect to the mongod instance running on localhost over port 27017, and will return values every second by default.

mongotop

To have mongotop report every 30 seconds, specify the polling interval:

mongotop 30

When connected to a mongod instance, the program reports first on the connection and then reports on the statistics at the configured frequency.

2019-04-29T15:35:27.785-0400 connected to: 127.0.0.1
             ns    total      read      write    <timestamp>
<db.collection>    81802ms     0ms    81802ms
...

Command Line Options

mongotop [options] [frequency]

You can run mongotop with various command-line options.

For example, to connect mongotop to a mongod instance running on a remote host mongodb0.example.com and report every 30 seconds:

  • You can include the desired frequency of reporting (in this example, 30 seconds) and the --uri option to specify the host and port:

    mongotop 30 --uri='mongodb://mongodb0.example.com:27017' [additional options]

    If the mongod instance requires authentication, you can specify the user, password, and authentication database as part of the URI connection string:

    mongotop 30 --uri='mongodb://user:password@mongodb0.example.com:27017/?authSource=admin' [additional options]

    The user running mongotop must have the serverStatus and top privileges.

    For more information on the URI connection string, see --uri.

  • Alternatively, you can use the --host and --port options to specify the host and port:

    mongotop 30 --host=mongodb0.example.com --port=27017 [additional options]

    If the mongod instance requires authentication, you can specify the user -u, and the authentication database --authenticationDatabase. Omit the --password option to have mongoexport prompt for the password.

    mongotop 30 --host=mongodb0.example.com --port=27017 -u=user --authenticationDatabase=admin [additional options]

    The user running mongotop must have the serverStatus and top privileges.

For more information on the options available, see Options.

When connected to a mongod instance, the program reports first on the connection and then reports on the statistics at the configured frequency.

2019-04-29T15:35:27.785-0400 connected to: 127.0.0.1
             ns    total      read      write    <timestamp>
<db.collection>    81802ms     0ms    81802ms
...

Required Access

In order to connect to a mongod that enforces authorization, the connecting user must have the serverStatus and top privileges.

The built-in role clusterMonitor provides these privileges.

Behavior

Polling

The mongotop program uses the top command to collect data. However, while top returns cumulative usage statistics, mongotop resets the usage statistics for each polling interval.

FIPS

mongotop automatically creates FIPS-compliant connections to a mongod/mongos that is configured to use FIPS mode.

Options

--help

Returns information on the options and use of mongotop.

--verbose, -v

Increases the amount of internal reporting returned on standard output or in log files. Increase the verbosity with the -v form by including the option multiple times, (e.g. -vvvvv.)

--quiet

Runs mongotop in a quiet mode that attempts to limit the amount of output.

This option suppresses:

  • output from database commands

  • replication activity

  • connection accepted events

  • connection closed events

--version

Returns the mongotop release number.

--config=<filename>

New in version 100.3.0.

Specifies the full path to a YAML configuration file containing sensitive values for the following options to mongotop:

This is the recommended way to specify a password to mongotop, aside from specifying it through a password prompt.

The configuration file takes the following form:

password: <password>
uri: mongodb://mongodb0.example.com:27017
sslPEMKeyPassword: <password>

Specifying a password to the password: field and providing a connection string in the uri: field which contains a conflicting password will result in an error.

Be sure to secure this file with appropriate filesystem permissions.

Note

If you specify a configuration file with --config and also use the --password, --uri or --sslPEMKeyPassword option to mongotop, each command line option overrides its corresponding option in the configuration file.

--uri=<connectionString>

Specifies the resolvable URI connection string of the MongoDB deployment, enclosed in quotes:

--uri="mongodb://[username:password@]host1[:port1][,host2[:port2],...[,hostN[:portN]]][/[database][?options]]"

Starting with version 100.0 of mongotop, the connection string may alternatively be provided as a positional parameter, without using the --uri option:

mongotop mongodb://[username:password@]host1[:port1][,host2[:port2],...[,hostN[:portN]]][/[database][?options]]

As a positional parameter, the connection string may be specified at any point on the command line, as long as it begins with either mongodb:// or mongodb+srv://. For example:

mongotop --username joe --password secret1 mongodb://mongodb0.example.com:27017 --ssl

Only one connection string can be provided. Attempting to include more than one, whether using the --uri option or as a positional argument, will result in an error.

For information on the components of the connection string, see the Connection String URI Format documentation.

Note

Some components in the connection string may alternatively be specified using their own explicit command-line options, such as --username and --password. Providing a connection string while also using an explicit option and specifying conflicting information will result in an error.

Note

If using mongotop on Ubuntu 18.04, you may experience a cannot unmarshal DNS error message when using SRV connection strings (in the form mongodb+srv://) with the --uri option. If so, use one of the following options instead:

Warning

On some systems, a password provided in a connection string with the --uri option may be visible to system status programs such as ps that may be invoked by other users. Consider instead:

  • omitting the password in the connection string to receive an interactive password prompt, or

  • using the --config option to specify a configuration file containing the password.

--host=<hostname><:port>, -h=<hostname><:port>

Default: localhost:27017

Specifies the resolvable hostname of the MongoDB deployment. By default, mongotop attempts to connect to a MongoDB instance running on the localhost on port number 27017.

To connect to a replica set, specify the replSetName and a seed list of set members, as in the following:

--host=<replSetName>/<hostname1><:port>,<hostname2><:port>,<...>

When specifying the replica set list format, mongotop always connects to the primary.

You can also connect to any single member of the replica set by specifying the host and port of only that member:

--host=<hostname1><:port>

If you use IPv6 and use the <address>:<port> format, you must enclose the portion of an address and port combination in brackets (e.g. [<address>]).

Alternatively, you can also specify the hostname directly in the URI connection string. Providing a connection string while also using --host and specifying conflicting information will result in an error.

If connected to a replica set where the primary is not reachable, mongotop returns an error message.

--port=<port>

Default: 27017

Specifies the TCP port on which the MongoDB instance listens for client connections.

Alternatively, you can also specify the port directly in the URI connection string. Providing a connection string while also using --port and specifying conflicting information will result in an error.

--ssl

Enables connection to a mongod or mongos that has TLS/SSL support enabled.

Alternatively, you can also configure TLS/SSL support directly in the URI connection string. Providing a connection string while also using --ssl and specifying conflicting information will result in an error.

For more information about TLS/SSL and MongoDB, see Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients.

--sslCAFile=<filename>

Specifies the .pem file that contains the root certificate chain from the Certificate Authority. Specify the file name of the .pem file using relative or absolute paths.

Alternatively, you can also specify the .pem file directly in the URI connection string. Providing a connection string while also using --sslCAFile and specifying conflicting information will result in an error.

For more information about TLS/SSL and MongoDB, see Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients.

--sslPEMKeyFile=<filename>

Specifies the .pem file that contains both the TLS/SSL certificate and key. Specify the file name of the .pem file using relative or absolute paths.

This option is required when using the --ssl option to connect to a mongod or mongos that has CAFile enabled without allowConnectionsWithoutCertificates.

Alternatively, you can also specify the .pem file directly in the URI connection string. Providing a connection string while also using --sslPEMKeyFile and specifying conflicting information will result in an error.

For more information about TLS/SSL and MongoDB, see Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients.

--sslPEMKeyPassword=<value>

Specifies the password to de-crypt the certificate-key file (i.e. --sslPEMKeyFile). Use the --sslPEMKeyPassword option only if the certificate-key file is encrypted. In all cases, the mongotop will redact the password from all logging and reporting output.

If the private key in the PEM file is encrypted and you do not specify the --sslPEMKeyPassword option, the mongotop will prompt for a passphrase. See TLS/SSL Certificate Passphrase.

Alternatively, you can also specify the password directly in the URI connection string. Providing a connection string while also using --sslPEMKeyPassword and specifying conflicting information will result in an error.

For more information about TLS/SSL and MongoDB, see Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients.

Warning

On some systems, a password provided directly using the --sslPEMKeyPassword option may be visible to system status programs such as ps that may be invoked by other users. Consider using the --config option to specify a configuration file containing the password instead.

--sslCRLFile=<filename>

Specifies the .pem file that contains the Certificate Revocation List. Specify the file name of the .pem file using relative or absolute paths.

For more information about TLS/SSL and MongoDB, see Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients.

--sslAllowInvalidCertificates

Bypasses the validation checks for server certificates and allows the use of invalid certificates. When using the allowInvalidCertificates setting, MongoDB logs as a warning the use of the invalid certificate.

Warning

Although available, avoid using the --sslAllowInvalidCertificates option if possible. If the use of --sslAllowInvalidCertificates is necessary, only use the option on systems where intrusion is not possible.

Connecting to a mongod or mongos instance without validating server certificates is a potential security risk. If you only need to disable the validation of the hostname in the TLS/SSL certificates, see --sslAllowInvalidHostnames.

Alternatively, you can also disable certificate validation directly in the URI connection string. Providing a connection string while also using --sslAllowInvalidCertificates and specifying conflicting information will result in an error.

For more information about TLS/SSL and MongoDB, see Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients.

--sslAllowInvalidHostnames

Disables the validation of the hostnames in TLS/SSL certificates. Allows mongotop to connect to MongoDB instances even if the hostname in their certificates do not match the specified hostname.

Alternatively, you can also disable hostname validation directly in the URI connection string. Providing a connection string while also using --sslAllowInvalidHostnames and specifying conflicting information will result in an error.

For more information about TLS/SSL and MongoDB, see Configure mongod and mongos for TLS/SSL and TLS/SSL Configuration for Clients.

--username=<username>, -u=<username>

Specifies a username with which to authenticate to a MongoDB database that uses authentication. Use in conjunction with the --password and --authenticationDatabase options.

Alternatively, you can also specify the username directly in the URI connection string. Providing a connection string while also using --username and specifying conflicting information will result in an error.

If connecting to a MongoDB Atlas cluster using the MONGODB-AWS authentication mechanism, you can specify your AWS access key ID in:

See Connect to a MongoDB Atlas Cluster using AWS IAM Credentials for an example of each.

--password=<password>, -p=<password>

Specifies a password with which to authenticate to a MongoDB database that uses authentication. Use in conjunction with the --username and --authenticationDatabase options.

To prompt the user for the password, pass the --username option without --password or specify an empty string as the --password value, as in --password "" .

Alternatively, you can also specify the password directly in the URI connection string. Providing a connection string while also using --password and specifying conflicting information will result in an error.

If connecting to a MongoDB Atlas cluster using the MONGODB-AWS authentication mechanism, you can specify your AWS secret access key in:

See Connect to a MongoDB Atlas Cluster using AWS IAM Credentials for an example of each.

Warning

On some systems, a password provided directly using the --password option may be visible to system status programs such as ps that may be invoked by other users. Consider instead:

  • omitting the --password option to receive an interactive password prompt, or

  • using the --config option to specify a configuration file containing the password.

--awsSessionToken=<AWS Session Token>

If connecting to a MongoDB Atlas cluster using the MONGODB-AWS authentication mechanism, and using session tokens in addition to your AWS access key ID and secret access key, you can specify your AWS session token in:

See Connect to a MongoDB Atlas Cluster using AWS IAM Credentials for an example of each.

Only valid when using the MONGODB-AWS authentication mechanism.

--authenticationDatabase=<dbname>

Specifies the authentication database where the specified --username has been created. --authenticationDatabase is required for mongod and mongos instances that use Authentication. See Authentication Database.

If using the GSSAPI (Kerberos), PLAIN (LDAP SASL), or MONGODB-AWS authentication mechanisms, you must set --authenticationDatabase to $external.

Alternatively, you can also specify the authentication database directly in the URI connection string. Providing a connection string while also using --authenticationDatabase and specifying conflicting information will result in an error.

--authenticationMechanism=<name>

Default: SCRAM-SHA-1

Specifies the authentication mechanism the mongotop instance uses to authenticate to the mongod or mongos.

Changed in version 100.1.0: Starting in version 100.1.0, mongotop adds support for the MONGODB-AWS authentication mechanism when connecting to a MongoDB Atlas cluster.

Value
Description
SCRAM-SHA-1
RFC 5802 standard Salted Challenge Response Authentication Mechanism using the SHA-1 hash function.
SCRAM-SHA-256

RFC 7677 standard Salted Challenge Response Authentication Mechanism using the SHA-256 hash function.

Requires featureCompatibilityVersion set to 4.0.

MONGODB-X509
MongoDB TLS/SSL certificate authentication.
MONGODB-AWS

External authentication using AWS IAM credentials for use in connecting to a MongoDB Atlas cluster. See Connect to a MongoDB Atlas Cluster using AWS IAM Credentials.

New in version 100.1.0.

GSSAPI (Kerberos)
External authentication using Kerberos. This mechanism is available only in MongoDB Enterprise.
PLAIN (LDAP SASL)
External authentication using LDAP. You can also use PLAIN for authenticating in-database users. PLAIN transmits passwords in plain text. This mechanism is available only in MongoDB Enterprise.

Alternatively, you can also specify the authentication mechanism directly in the URI connection string. Providing a connection string while also using --authenticationMechanism and specifying conflicting information will result in an error.

--gssapiServiceName=<serviceName>

Specify the name of the service using GSSAPI/Kerberos. Only required if the service does not use the default name of mongodb.

This option is available only in MongoDB Enterprise.

--gssapiHostName=<hostname>

Specify the hostname of a service using GSSAPI/Kerberos. Only required if the hostname of a machine does not match the hostname resolved by DNS.

This option is available only in MongoDB Enterprise.

--locks

Toggles the mode of mongotop to report on use of per-database locks. This data is only available when connected to a MongoDB 2.6 or older instance.

--locks returns an error when called against a mongod 3.0 or newer instance that does not report per-database lock usage.

--rowcount=<int>, -n=<int>

Number of lines of data that mongotop should print. "0 for indefinite"

--json

Returns output for mongotop in JSON format. In addition to timing data, the --json option also returns a count of the number of operations which took place during the polling interval.

<sleeptime>

The final argument is the length of time, in seconds, that mongotop waits in between calls. By default mongotop returns data every second.

Fields

When connected to a mongod instance, the program reports first on the connection and then reports on the statistics at the configured frequency. mongotop returns time values specified in milliseconds (ms.)

2019-04-29T15:35:27.785-0400 connected to: 127.0.0.1
             ns    total      read      write    <timestamp>
<db.collection>    81802ms     0ms    81802ms
...
             ns    total      read      write    <timestamp>
<db.collection>    0ms         0ms        0ms
...

mongotop only reports active namespaces or databases, depending on the --locks option. If you don't see a database or collection, it has received no recent activity. You can issue a simple operation in the mongo shell to generate activity to affect the output of mongotop.

mongotop.ns

Contains the database namespace, which combines the database name and collection.

If you use the mongotop --locks, the ns field does not appear in the mongotop output.

mongotop.db

Contains the name of the database. The database named . refers to the global lock, rather than a specific database.

This field does not appear unless you have invoked mongotop with the --locks option.

mongotop.total

Provides the total amount of time that this mongod spent operating on this namespace.

mongotop.read

Provides the amount of time that this mongod spent performing read operations on this namespace.

mongotop.write

Provides the amount of time that this mongod spent performing write operations on this namespace.

mongotop.<timestamp>

Provides a time stamp for the returned data.

Examples

Run mongotop from the system command line, not the mongo shell.

By default mongotop connects to the MongoDB instance running on the localhost port 27017. However, mongotop can optionally connect to remote mongod instances. See the mongotop options for more information.

To force mongotop to return less frequently specify a number, in seconds at the end of the command. In this example, mongotop will return every 15 seconds.

mongotop 15

This command produces the following output:

2019-04-29T15:35:27.785-0400 connected to: 127.0.0.1
                    ns    total    read    write    2019-04-29T15:35:57-04:00
    admin.system.roles      0ms     0ms      0ms
    admin.system.users      0ms     0ms      0ms
  admin.system.version      0ms     0ms      0ms
config.system.sessions      0ms     0ms      0ms
     local.startup_log      0ms     0ms      0ms
  local.system.replset      0ms     0ms      0ms

To return a mongotop report every 5 minutes, use the following command:

mongotop 300

Connect to a MongoDB Atlas Cluster using AWS IAM Credentials

New in version 100.1.0.

To connect to a MongoDB Atlas cluster which has been configured to support authentication via AWS IAM credentials, provide a connection string to mongotop similar to the following:

mongotop 'mongodb+srv://<aws access key id>:<aws secret access key>@cluster0.example.com/testdb?authSource=$external&authMechanism=MONGODB-AWS' <other options>

Connecting to Atlas using AWS IAM credentials in this manner uses the MONGODB-AWS authentication mechanism and the $external authSource, as shown in this example.

If using an AWS session token, as well, provide it with the AWS_SESSION_TOKEN authMechanismProperties value, as follows:

mongotop 'mongodb+srv://<aws access key id>:<aws secret access key>@cluster0.example.com/testdb?authSource=$external&authMechanism=MONGODB-AWS&authMechanismProperties=AWS_SESSION_TOKEN:<aws session token>' <other options>

Note

If the AWS access key ID, secret access key, or session token include the following characters:

: / ? # [ ] @

those characters must be converted using percent encoding.

Alternatively, the AWS access key ID, secret access key, and optionally session token can each be provided outside of the connection string using the --username, --password, and --awsSessionToken options instead, like so:

mongotop 'mongodb+srv://cluster0.example.com/testdb?authSource=$external&authMechanism=MONGODB-AWS' --username <aws access key id> --password <aws secret access key> --awsSessionToken <aws session token> <other options>

When provided as command line parameters, these three options do not require percent encoding.

You may also set these credentials on your platform using standard AWS IAM environment variables. mongotop checks for the following environment variables when you use the MONGODB-AWS authentication mechanism:

  • AWS_ACCESS_KEY_ID

  • AWS_SECRET_ACCESS_KEY

  • AWS_SESSION_TOKEN

If set, these credentials do not need to be specified in the connection string or via their explicit options.

Note

If you chose to use the AWS environment variables to specify these values, you cannot mix and match with the corresponding explicit or connection string options for these credentials. Either use the environment variables for access key ID and secret access key (and session token if used), or specify each of these using the explicit or connection string options instead.

The following example sets these environment variables in the bash shell:

export AWS_ACCESS_KEY_ID='<aws access key id>'
export AWS_SECRET_ACCESS_KEY='<aws secret access key>'
export AWS_SESSION_TOKEN='<aws session token>'

Syntax for setting environment variables in other shells will be different. Consult the documentation for your platform for more information.

You can verify that these environment variables have been set with the following command:

env | grep AWS

Once set, the following example connects to a MongoDB Atlas cluster using these environment variables:

mongotop 'mongodb+srv://cluster0.example.com/testdb?authSource=$external&authMechanism=MONGODB-AWS'  <other options>

Additional Information

For more information about monitoring MongoDB, see Monitoring for MongoDB.

For additional background on various other MongoDB status outputs see:

For an additional utility that provides MongoDB metrics see mongostat.

←  mongostatmongofiles →

On this page

Share Feedback