def getSampleEvents(eventtype, args):
results = []
if eventtype != '':
if eventtype.strip().startswith("|") or len(
shu.getJustCommands(eventtype, None)) > 1:
raise Exception("Eventtypes cannot contain search commands")
eventtype = eventtype.replace('\\', '\\\\')
query = "search %s | head %s | fields | abstract maxlines=%s " % (
eventtype, MAX_SAMPLES, MAX_LINES)
maxtime = args.get('maxtime', None)
if maxtime != None:
# try to use maxtime to get selecteed event at top
epochmaxtime = splunk.util.dt2epoch(splunk.util.parseISO(maxtime))
results = se.searchAll(query,
latest_time=epochmaxtime,
status_buckets=1)
# if not enough events, research without time constraint
if len(results) < MIN_SAMPLES:
results = se.searchAll(query, status_buckets=1)
results = [r.raw.getRaw() for r in results]
return results
def getStats(result, search):
commands = parseutils.getJustCommands(search, None)
for command in commands:
field = "%s_count" % command
result[field] = result.get(field, 0) + 1
for keyword in ["OR", "NOT", "AND"]:
result['%s_count' % keyword] = search.count(" %s " % keyword)
result['unknown_tokens'] = getUnknown(search)
def getStats(result, search):
commands = parseutils.getJustCommands(search, None)
for command in commands:
field = "%s_count" % command
result[field] = result.get(field, 0) + 1
for keyword in ["OR", "NOT", "AND"]:
result['%s_count' % keyword] = search.count(" %s " % keyword)
result['unknown_tokens'] = getUnknown(search)
def getSampleEvents(eventtype, args, fast=True):
results = []
if eventtype != '':
if eventtype.strip().startswith("|") or len(shu.getJustCommands(eventtype, None)) > 1:
raise Exception("Eventtypes cannot contain search commands")
eventtype = eventtype.replace('\\', '\\\\')
sid = args['sid']
if fast:
# try to finalize jobs so that search job can be used with loadjob
try:
job = se.getJob(sid)
job.finalize()
se.waitForJob(job, MAX_JOB_WAIT) # job isn't ready immediately after finalize is called.
except Exception, ee:
pass
query = "| loadjob %s | search %s | head %s | fields | abstract maxlines=%s " % (sid, eventtype, MAX_SAMPLES, MAX_LINES)
else:
query = "search %s | head %s | fields | abstract maxlines=%s " % (eventtype, MAX_SAMPLES, MAX_LINES)
maxtime = args.get('maxtime', None)
if maxtime != None:
# try to use maxtime to get selecteed event at top
epochmaxtime = splunk.util.dt2epoch(splunk.util.parseISO(maxtime))
results = se.searchAll(query, latest_time=epochmaxtime, status_buckets=1,
auto_finalize_ec=MAX_SAMPLES,
max_out=MAX_SAMPLES,
max_count=MAX_SAMPLES, max_time=MAX_JOB_WAIT,
enable_lookups=0, auto_cancel=int(1.5*MAX_JOB_WAIT)
)
# if we got no results, perhaps the job expired. rerun the search.
if fast and len(results) == 0:
return getSampleEvents(eventtype, args, False)
# if not enough events, research without time constraint
if len(results) < MIN_SAMPLES:
results = se.searchAll(query, status_buckets=1,
auto_finalize_ec=MAX_SAMPLES,
max_out=MAX_SAMPLES,
max_count=MAX_SAMPLES, max_time=MAX_JOB_WAIT,
enable_lookups=0, auto_cancel=int(1.5*MAX_JOB_WAIT)
)
results = [ r.raw.getRaw() for r in results ]
def getSampleEvents(eventtype, args):
results = []
if eventtype != '':
if eventtype.strip().startswith("|") or len(shu.getJustCommands(eventtype, None)) > 1:
raise Exception("Eventtypes cannot contain search commands")
eventtype = eventtype.replace('\\', '\\\\')
query = "search %s | head %s | fields | abstract maxlines=%s " % (eventtype, MAX_SAMPLES, MAX_LINES)
maxtime = args.get('maxtime', None)
if maxtime != None:
# try to use maxtime to get selecteed event at top
epochmaxtime = splunk.util.dt2epoch(splunk.util.parseISO(maxtime))
results = se.searchAll(query, latest_time=epochmaxtime, status_buckets=1)
# if not enough events, research without time constraint
if len(results) < MIN_SAMPLES:
results = se.searchAll(query, status_buckets=1)
results = [ r.raw.getRaw() for r in results ]
return results