Deployment Architecture

For splunk search 7.0.0. Getting Search process did not exit cleanly, exit_code=255, description="exited with code 255".

Venkat_16
Contributor

its a distributed search head. Please find the below search.log information:

09-25-2018 06:17:18.345 INFO dispatchRunner - Search process mode: preforked (first search in process) (build c8a78efdd40f).
09-25-2018 06:17:18.346 INFO dispatchRunner - initing LicenseMgr in search process: nonPro=0
09-25-2018 06:17:18.346 INFO LicenseMgr - Initing LicenseMgr
09-25-2018 06:17:18.346 INFO LMConfig - serverName=PROD-SH-1 guid=D23FC9B5-262E-422F-81CF-45B5F5C63769
09-25-2018 06:17:18.349 INFO LMConfig - connection_timeout=30
09-25-2018 06:17:18.349 INFO LMConfig - send_timeout=30
09-25-2018 06:17:18.349 INFO LMConfig - receive_timeout=30
09-25-2018 06:17:18.349 INFO LMConfig - squash_threshold=2000
09-25-2018 06:17:18.349 INFO LMConfig - strict_pool_quota=1
09-25-2018 06:17:18.349 INFO LMConfig - key=pool_suggestion not found in licenser stanza of server.conf, defaulting=''
09-25-2018 06:17:18.349 INFO LMConfig - key=test_aws_metering not found in licenser stanza of server.conf, defaulting=0
09-25-2018 06:17:18.349 INFO LMConfig - key=test_aws_product_code not found in licenser stanza of server.conf, defaulting=0
09-25-2018 06:17:18.349 INFO LicenseMgr - Initing LicenseMgr runContext_splunkd=false
09-25-2018 06:17:18.349 INFO LMStackMgr - closing stack mgr
09-25-2018 06:17:18.349 INFO LMSlaveInfo - all slaves cleared
09-25-2018 06:17:18.349 INFO LMStackMgr - partial init only since node has remote master=https://10.33.9.9:8089
09-25-2018 06:17:18.349 INFO LicenseMgr - StackMgr init complete...
09-25-2018 06:17:18.349 INFO LMTracker - Setting default product type='enterprise'
09-25-2018 06:17:18.349 INFO LMTracker - this is not splunkd, will perform partial init
09-25-2018 06:17:18.349 INFO LMTracker - Setting feature=Acceleration state=ENABLED (featureStatus=1)
09-25-2018 06:17:18.349 INFO LMTracker - Setting feature=AdvancedSearchCommands state=ENABLED (featureStatus=1)
09-25-2018 06:17:18.349 INFO LMTracker - Setting feature=AdvancedXML state=ENABLED (featureStatus=1)
09-25-2018 06:17:18.349 INFO LMTracker - Setting feature=Alerting state=ENABLED (featureStatus=1)
09-25-2018 06:17:18.349 INFO LMTracker - Setting feature=ArchiveToHdfs state=ENABLED (featureStatus=1)
09-25-2018 06:17:18.349 INFO LMTracker - Setting feature=Auth state=ENABLED (featureStatus=1)
09-25-2018 06:17:18.349 INFO LMTracker - Setting feature=CustomRoles state=ENABLED (featureStatus=1)
09-25-2018 06:17:18.349 INFO LMTracker - Setting feature=DeployClient state=ENABLED (featureStatus=1)
09-25-2018 06:17:18.349 INFO LMTracker - Setting feature=DeployServer state=ENABLED (featureStatus=1)
09-25-2018 06:17:18.349 INFO LMTracker - Setting feature=DistSearch state=ENABLED (featureStatus=1)
09-25-2018 06:17:18.349 INFO LMTracker - Setting feature=FwdData state=ENABLED (featureStatus=1)
09-25-2018 06:17:18.349 INFO LMTracker - Setting feature=GuestPass state=ENABLED (featureStatus=1)
09-25-2018 06:17:18.349 INFO LMTracker - Setting feature=KVStore state=ENABLED (featureStatus=1)
09-25-2018 06:17:18.349 INFO LMTracker - Setting feature=LDAPAuth state=ENABLED (featureStatus=1)
09-25-2018 06:17:18.349 INFO LMTracker - Setting feature=LocalSearch state=ENABLED (featureStatus=1)
09-25-2018 06:17:18.349 INFO LMTracker - Setting feature=MultifactorAuth state=ENABLED (featureStatus=1)
09-25-2018 06:17:18.349 INFO LMTracker - Setting feature=MultisiteClustering state=ENABLED (featureStatus=1)
09-25-2018 06:17:18.349 INFO LMTracker - Setting feature=NontableLookups state=ENABLED (featureStatus=1)
09-25-2018 06:17:18.349 INFO LMTracker - Setting feature=RcvData state=ENABLED (featureStatus=1)
09-25-2018 06:17:18.349 INFO LMTracker - Setting feature=RcvSearch state=ENABLED (featureStatus=1)
09-25-2018 06:17:18.349 INFO LMTracker - Setting feature=RollingWindowAlerts state=ENABLED (featureStatus=1)
09-25-2018 06:17:18.349 INFO LMTracker - Setting feature=SAMLAuth state=ENABLED (featureStatus=1)
09-25-2018 06:17:18.349 INFO LMTracker - Setting feature=ScheduledAlerts state=ENABLED (featureStatus=1)
09-25-2018 06:17:18.349 INFO LMTracker - Setting feature=ScheduledReports state=ENABLED (featureStatus=1)
09-25-2018 06:17:18.349 INFO LMTracker - Setting feature=ScheduledSearch state=ENABLED (featureStatus=1)
09-25-2018 06:17:18.350 INFO LMTracker - Setting feature=ScriptedAuth state=ENABLED (featureStatus=1)
09-25-2018 06:17:18.350 INFO LMTracker - Setting feature=SearchheadPooling state=ENABLED (featureStatus=1)
09-25-2018 06:17:18.350 INFO LMTracker - Setting feature=SigningProcessor state=ENABLED (featureStatus=1)
09-25-2018 06:17:18.350 INFO LMTracker - Setting feature=SplunkWeb state=ENABLED (featureStatus=1)
09-25-2018 06:17:18.350 INFO LMTracker - Setting feature=SubgroupId state=ENABLED (featureStatus=1)
09-25-2018 06:17:18.350 INFO LMTracker - Setting feature=SyslogOutputProcessor state=ENABLED (featureStatus=1)
09-25-2018 06:17:18.350 INFO LMTracker - Setting feature=UnisiteClustering state=ENABLED (featureStatus=1)
09-25-2018 06:17:18.350 INFO LicenseMgr - Tracker init complete...
09-25-2018 06:17:18.356 INFO AdminManagerDispatch - added factory for admin handler: 'licenses'
09-25-2018 06:17:18.356 INFO AdminManagerDispatch - added factory for admin handler: 'pools'
09-25-2018 06:17:18.356 INFO AdminManagerDispatch - added factory for admin handler: 'stacks'
09-25-2018 06:17:18.356 INFO AdminManagerDispatch - added factory for admin handler: 'groups'
09-25-2018 06:17:18.356 INFO AdminManagerDispatch - added factory for admin handler: 'slaves'
09-25-2018 06:17:18.356 INFO AdminManagerDispatch - added factory for admin handler: 'localslave'
09-25-2018 06:17:18.356 INFO AdminManagerDispatch - added factory for admin handler: 'licensermessages'
09-25-2018 06:17:18.356 INFO AdminManagerDispatch - added factory for admin handler: 'scriptedwarning'
09-25-2018 06:17:18.356 INFO AdminManagerDispatch - added factory for admin handler: 'licenseusage'
09-25-2018 06:17:18.357 INFO dispatchRunner - registering build time modules, count=1
09-25-2018 06:17:18.357 INFO dispatchRunner - registering search time components of build time module name=vix
09-25-2018 06:17:18.357 INFO dispatchRunner - Getting search configuration data from: /opt/splunk/etc/modules/parsing/config.xml
09-25-2018 06:17:18.360 INFO BundlesSetup - Setup stats for /opt/splunk/etc: wallclock_elapsed_msec=48, cpu_time_used=0.046992, shared_services_generation=2, shared_services_population=1
09-25-2018 06:17:18.374 INFO UserManagerPro - Load authentication: forcing roles="admin, alert_manager_user, export data role, power, user"
09-25-2018 06:17:18.378 INFO SessionManager - auth tokens will be generated with shpooling shared secret
09-25-2018 06:17:18.378 INFO UserManager - Setting user context: splunk-system-user
09-25-2018 06:17:18.378 INFO UserManager - Done setting user context: NULL -> splunk-system-user
09-25-2018 06:17:18.380 INFO UserManager - Unwound user context: splunk-system-user -> NULL
09-25-2018 06:17:18.380 INFO UserManager - Setting user context: admin
09-25-2018 06:17:18.380 INFO UserManager - Done setting user context: NULL -> admin
09-25-2018 06:17:18.380 INFO dispatchRunner - search context: user="admin", app="nmon", bs-pathname="/opt/splunk/etc"
09-25-2018 06:17:18.386 WARN IndexConfig - idx=telemetry Path homePath='/opt/splunk/var/lib/splunk/_telemetry/db' (realpath '/opt/splunk/var/lib/splunk/_telemetry/db') is inside volume=home (path='/opt/splunk/var/lib/splunk', realpath='/opt/splunk/var/lib/splunk'), but does not reference that volume. Space used by homePath will not be volume-mananged. Please check indexes.conf for configuration errors.
09-25-2018 06:17:18.386 WARN IndexConfig - idx=_telemetry Path coldPath='/opt/splunk/var/lib/splunk/_telemetry/colddb' (realpath '/opt/splunk/var/lib/splunk/_telemetry/colddb') is inside volume=home (path='/opt/splunk/var/lib/splunk', realpath='/opt/splunk/var/lib/splunk'), but does not reference that volume. Space used by coldPath will not be volume-mananged. Please check indexes.conf for configuration errors.
09-25-2018 06:17:18.387 WARN IndexConfig - idx=alerts Path homePath='/opt/splunk/var/lib/splunk/alerts/db' (realpath '/opt/splunk/var/lib/splunk/alerts/db') is inside volume=home (path='/opt/splunk/var/lib/splunk', realpath='/opt/splunk/var/lib/splunk'), but does not reference that volume. Space used by homePath will not be volume-mananged. Please check indexes.conf for configuration errors.
09-25-2018 06:17:18.387 WARN IndexConfig - idx=alerts Path coldPath='/opt/splunk/var/lib/splunk/alerts/colddb' (realpath '/opt/splunk/var/lib/splunk/alerts/colddb') is inside volume=home (path='/opt/splunk/var/lib/splunk', realpath='/opt/splunk/var/lib/splunk'), but does not reference that volume. Space used by coldPath will not be volume-mananged. Please check indexes.conf for configuration errors.
09-25-2018 06:17:18.387 WARN IndexConfig - idx=ioc Path homePath='/opt/splunk/var/lib/splunk/iocdb/db' (realpath '/opt/splunk/var/lib/splunk/iocdb/db') is inside volume=home (path='/opt/splunk/var/lib/splunk', realpath='/opt/splunk/var/lib/splunk'), but does not reference that volume. Space used by homePath will not be volume-mananged. Please check indexes.conf for configuration errors.
09-25-2018 06:17:18.387 WARN IndexConfig - idx=ioc Path coldPath='/opt/splunk/var/lib/splunk/iocdb/colddb' (realpath '/opt/splunk/var/lib/splunk/iocdb/colddb') is inside volume=home (path='/opt/splunk/var/lib/splunk', realpath='/opt/splunk/var/lib/splunk'), but does not reference that volume. Space used by coldPath will not be volume-mananged. Please check indexes.conf for configuration errors.
09-25-2018 06:17:18.387 WARN IndexConfig - Max bucket size is larger than the index size limit. Please check your index configuration. idx=main; bucket size in MB (from maxDataSize) 10240, maxDataSizeMB=1024
09-25-2018 06:17:18.387 WARN IndexConfig - idx=nmon Path homePath='/opt/splunk/var/lib/splunk/nmon/db' (realpath '/opt/splunk/var/lib/splunk/nmon/db') is inside volume=home (path='/opt/splunk/var/lib/splunk', realpath='/opt/splunk/var/lib/splunk'), but does not reference that volume. Space used by homePath will not be volume-mananged. Please check indexes.conf for configuration errors.
09-25-2018 06:17:18.387 WARN IndexConfig - idx=nmon Path coldPath='/opt/splunk/var/lib/splunk/nmon/colddb' (realpath '/opt/splunk/var/lib/splunk/nmon/colddb') is inside volume=home (path='/opt/splunk/var/lib/splunk', realpath='/opt/splunk/var/lib/splunk'), but does not reference that volume. Space used by coldPath will not be volume-mananged. Please check indexes.conf for configuration errors.
09-25-2018 06:17:18.388 WARN IndexConfig - idx=threat_activity Path homePath='/opt/splunk/var/lib/splunk/threat_activitydb/db' (realpath '/opt/splunk/var/lib/splunk/threat_activitydb/db') is inside volume=home (path='/opt/splunk/var/lib/splunk', realpath='/opt/splunk/var/lib/splunk'), but does not reference that volume. Space used by homePath will not be volume-mananged. Please check indexes.conf for configuration errors.
09-25-2018 06:17:18.388 WARN IndexConfig - idx=threat_activity Path coldPath='/opt/splunk/var/lib/splunk/threat_activitydb/colddb' (realpath '/opt/splunk/var/lib/splunk/threat_activitydb/colddb') is inside volume=home (path='/opt/splunk/var/lib/splunk', realpath='/opt/splunk/var/lib/splunk'), but does not reference that volume. Space used by coldPath will not be volume-mananged. Please check indexes.conf for configuration errors.
09-25-2018 06:17:18.388 WARN IndexConfig - idx=unix_summary Path homePath='/opt/splunk/var/lib/splunk/unix_summary/db' (realpath '/opt/splunk/var/lib/splunk/unix_summary/db') is inside volume=home (path='/opt/splunk/var/lib/splunk', realpath='/opt/splunk/var/lib/splunk'), but does not reference that volume. Space used by homePath will not be volume-mananged. Please check indexes.conf for configuration errors.
09-25-2018 06:17:18.389 WARN IndexConfig - idx=unix_summary Path coldPath='/opt/splunk/var/lib/splunk/unix_summary/colddb' (realpath '/opt/splunk/var/lib/splunk/unix_summary/colddb') is inside volume=home (path='/opt/splunk/var/lib/splunk', realpath='/opt/splunk/var/lib/splunk'), but does not reference that volume. Space used by coldPath will not be volume-mananged. Please check indexes.conf for configuration errors.
09-25-2018 06:17:18.390 INFO dispatchRunner - Executing the DispatchThread.
09-25-2018 06:17:18.390 INFO SearchParser - PARSING: | pivot NMON_Config Nmon_Config last(AIX_Machine_SerialNumber) AS "AIX_Machine_SerialNumber" dc(hostname) AS "dcount" SPLITROW hostname AS hostname SORT 0 hostname ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 0 SHOWOTHER 0 | eval serialnum=if(isnull(AIX_Machine_SerialNumber), hostname, AIX_Machine_SerialNumber) | fields hostname,serialnum | stats count
09-25-2018 06:17:18.391 INFO PivotEvaluator - Loading pivot for model 'NMON_Config' and object 'Nmon_Config'
09-25-2018 06:17:18.397 INFO PivotReport - arg: 'last(AIX_Machine_SerialNumber)'
09-25-2018 06:17:18.397 INFO PivotReport - arg: 'dc(hostname)'
09-25-2018 06:17:18.397 INFO PivotReport - arg: 'SPLITROW'
09-25-2018 06:17:18.397 INFO PivotRowCol - adding row
09-25-2018 06:17:18.397 INFO PivotRowCol - next: 'AS'
09-25-2018 06:17:18.397 INFO PivotRowCol - next: 'SORT'
09-25-2018 06:17:18.397 INFO PivotReport - arg: 'SORT'
09-25-2018 06:17:18.397 INFO PivotReport - arg: 'ROWSUMMARY'
09-25-2018 06:17:18.397 INFO PivotReport - arg: 'COLSUMMARY'
09-25-2018 06:17:18.397 INFO PivotReport - arg: 'NUMCOLS'
09-25-2018 06:17:18.397 INFO PivotReport - arg: 'SHOWOTHER'
09-25-2018 06:17:18.398 INFO SortOperator - maxmem = 209715200
09-25-2018 06:17:18.400 INFO ISplunkDispatch - Not running in splunkd. Bundle replication not triggered.
09-25-2018 06:17:18.482 INFO UserManager - Setting user context: admin
09-25-2018 06:17:18.482 INFO UserManager - Done setting user context: NULL -> admin
09-25-2018 06:17:18.482 INFO TsidxStats - Using a chunk size of 10000000
09-25-2018 06:17:18.484 INFO TsidxStats - Initial expanded filtering search: '( nodename=Nmon_Config )'
09-25-2018 06:17:18.487 INFO TsidxStats - Finalized TimeBounds: final_et=1537250400.000000 final_lt=1537856238.000000 info.startTime=1537250400.000000 info.endTime=1537856238.000000
09-25-2018 06:17:18.487 INFO TsidxStats - Using summaryid="57E9834B-43B4-41D0-A3BD-042A352C4C79_DM_nmon_NMON_Config"
09-25-2018 06:17:18.487 INFO SortOperator - maxmem = 209715200
09-25-2018 06:17:18.487 INFO ProxyConfig - Failed to initialize http_proxy from server.conf for splunkd. Please make sure that the http_proxy property is set as http_proxy=http://host:port in case HTTP proxying needs to be enabled.
09-25-2018 06:17:18.487 INFO ProxyConfig - Failed to initialize https_proxy from server.conf for splunkd. Please make sure that the https_proxy property is set as https_proxy=http://host:port in case HTTP proxying needs to be enabled.
09-25-2018 06:17:18.487 INFO ProxyConfig - Failed to initialize the no_proxy setting from server.conf for splunkd. Please provide a valid set of no_proxy rules in case HTTP proxying needs to be enabled.
09-25-2018 06:17:18.542 INFO TsidxStats - Finished evaluating arguments for datamodel-based query
09-25-2018 06:17:18.542 INFO SortOperator - maxmem = 209715200
09-25-2018 06:17:18.542 INFO SearchParser - PARSING: prestats dedup_splitvals=t distinct_count("Nmon_Config.hostname") last("Nmon_Config.AIX_Machine_SerialNumber") by "Nmon_Config.hostname"
09-25-2018 06:17:18.542 INFO SearchParser - PARSING: addinfo type=count label=prereport_events
09-25-2018 06:17:18.543 INFO SearchParser - PARSING: presort 0 auto("Nmon_Config.hostname")
09-25-2018 06:17:18.543 INFO SortOperator - maxmem = 209715200
09-25-2018 06:17:18.543 INFO StatsProcessor - No group-by fields specified, incompatible for high cardinality improvements
09-25-2018 06:17:18.543 INFO DispatchThread - BatchMode: allowBatchMode: 1, conf(1): 1, timeline/Status buckets(0):0, realtime(0):0, report pipe empty(0):0, reqTimeOrder(0):0, summarize(0):0, statefulStreaming(0):0
09-25-2018 06:17:18.543 INFO DispatchThread - required fields list to add to remote search = Nmon_Config.AIX_Machine_SerialNumber,Nmon_Config.hostname,prestats_reserved
,psrsvd_
09-25-2018 06:17:18.543 INFO SearchParser - PARSING: fields keepcolorder=t "Nmon_Config.AIX_Machine_SerialNumber" "Nmon_Config.hostname" "prestats_reserved_" "psrsvd_"
09-25-2018 06:17:18.543 INFO DispatchCommandProcessor - summaryHash=513a3eee1f1aac4d summaryId=57E9834B-43B4-41D0-A3BD-042A352C4C79_nmon_admin_513a3eee1f1aac4d remoteSearch=tstats last(Nmon_Config.AIX_Machine_SerialNumber) AS AIX_Machine_SerialNumber dc(Nmon_Config.hostname) AS dcount from datamodel=NMON_Config where (nodename = Nmon_Config) groupby Nmon_Config.hostname prestats=true | addinfo type=count label=prereport_events | fields keepcolorder=t "Nmon_Config.AIX_Machine_SerialNumber" "Nmon_Config.hostname" "prestats_reserved_" "psrsvd_" | prestats dedup_splitvals=t distinct_count("Nmon_Config.hostname") last("Nmon_Config.AIX_Machine_SerialNumber") by "Nmon_Config.hostname"
09-25-2018 06:17:18.543 INFO DispatchCommandProcessor - summaryHash=NS98be7406deb91d6f summaryId=57E9834B-43B4-41D0-A3BD-042A352C4C79_nmon_admin_NS98be7406deb91d6f remoteSearch=tstats last(Nmon_Config.AIX_Machine_SerialNumber) AS AIX_Machine_SerialNumber dc(Nmon_Config.hostname) AS dcount from datamodel=NMON_Config where (nodename = Nmon_Config) groupby Nmon_Config.hostname prestats=true | addinfo type=count label=prereport_events | fields keepcolorder=t "Nmon_Config.AIX_Machine_SerialNumber" "Nmon_Config.hostname" "prestats_reserved_" "psrsvd_" | prestats dedup_splitvals=t distinct_count("Nmon_Config.hostname") last("Nmon_Config.AIX_Machine_SerialNumber") by "Nmon_Config.hostname"
09-25-2018 06:17:18.543 INFO DispatchThread - Getting summary ID for summaryHash=NS98be7406deb91d6f
09-25-2018 06:17:18.550 INFO DispatchThread - Did not find a usable summary_id, setting info.summary_mode=none, not modifying input summary_id=57E9834B-43B4-41D0-A3BD-042A352C4C79_nmon_admin_NS98be7406deb91d6f
09-25-2018 06:17:18.550 INFO DispatchThread - Matches no summary
09-25-2018 06:17:18.550 INFO DispatchThread - SrchOptMetrics check_query_matches_ra=69
09-25-2018 06:17:18.550 INFO SearchParser - PARSING: | tstats last(Nmon_Config.AIX_Machine_SerialNumber) AS AIX_Machine_SerialNumber dc(Nmon_Config.hostname) AS dcount from datamodel=NMON_Config where (nodename = Nmon_Config) groupby Nmon_Config.hostname prestats=true | stats dedup_splitvals=t last(Nmon_Config.AIX_Machine_SerialNumber) AS AIX_Machine_SerialNumber dc(Nmon_Config.hostname) AS dcount by Nmon_Config.hostname | sort limit=0 Nmon_Config.hostname | fields - _span | rename Nmon_Config.hostname AS hostname | fillnull dcount | fields hostname, AIX_Machine_SerialNumber, dcount| eval serialnum=if(isnull(AIX_Machine_SerialNumber), hostname, AIX_Machine_SerialNumber) | fields hostname,serialnum | stats count
09-25-2018 06:17:18.550 INFO SortOperator - maxmem = 209715200
09-25-2018 06:17:18.550 INFO TsidxStats - Using a chunk size of 10000000
09-25-2018 06:17:18.552 INFO TsidxStats - Initial expanded filtering search: '( nodename=Nmon_Config )'
09-25-2018 06:17:18.552 INFO TsidxStats - Finished simple parsing
09-25-2018 06:17:18.552 INFO SortOperator - maxmem = 209715200
09-25-2018 06:17:18.552 INFO StatsProcessor - No group-by fields specified, incompatible for high cardinality improvements
09-25-2018 06:17:18.552 INFO DispatchThread - SrchOptMetrics optimize_toJson=2
09-25-2018 06:17:18.553 INFO ProjElim - Black listed processors=[addinfo]
09-25-2018 06:17:18.553 INFO AstVisitorFactory - Field=hostname will be rewritten to Field=Nmon_Config.hostname
09-25-2018 06:17:18.553 INFO AstVisitorFactory - Field=hostname will be rewritten to Field=Nmon_Config.hostname
09-25-2018 06:17:18.580 INFO DispatchThread - SrchOptMetrics optimization=28
09-25-2018 06:17:18.580 INFO SortOperator - maxmem = 209715200
09-25-2018 06:17:18.580 INFO SearchPipeline - Command='rename' doesnt have raw field
09-25-2018 06:17:18.580 INFO SearchPipeline - Command='eval' doesnt have raw field
09-25-2018 06:17:18.580 INFO DispatchThread - Optimized Search = | tstats last(Nmon_Config.AIX_Machine_SerialNumber) AS AIX_Machine_SerialNumber dc(Nmon_Config.hostname) AS dcount from datamodel=NMON_Config where (nodename = Nmon_Config) groupby Nmon_Config.hostname prestats=true | stats dedup_splitvals=t last(Nmon_Config.AIX_Machine_SerialNumber) AS AIX_Machine_SerialNumber dc(Nmon_Config.hostname) AS dcount by Nmon_Config.hostname | sort limit=0 Nmon_Config.hostname | fields - _span | rename "Nmon_Config.hostname" as hostname | fillnull dcount | fields hostname, AIX_Machine_SerialNumber, dcount | eval serialnum=if(isnull(AIX_Machine_SerialNumber),hostname,AIX_Machine_SerialNumber) | fields hostname,serialnum | stats count
09-25-2018 06:17:18.580 INFO DispatchThread - SrchOptMetrics fromJsontoSpl=1
09-25-2018 06:17:18.580 INFO SearchParser - PARSING: | tstats last(Nmon_Config.AIX_Machine_SerialNumber) AS AIX_Machine_SerialNumber dc(Nmon_Config.hostname) AS dcount from datamodel=NMON_Config where (nodename = Nmon_Config) groupby Nmon_Config.hostname prestats=true | stats dedup_splitvals=t last(Nmon_Config.AIX_Machine_SerialNumber) AS AIX_Machine_SerialNumber dc(Nmon_Config.hostname) AS dcount by Nmon_Config.hostname | sort limit=0 Nmon_Config.hostname | fields - _span | rename "Nmon_Config.hostname" as hostname | fillnull dcount | fields hostname, AIX_Machine_SerialNumber, dcount | eval serialnum=if(isnull(AIX_Machine_SerialNumber),hostname,AIX_Machine_SerialNumber) | fields hostname,serialnum | stats count
09-25-2018 06:17:18.580 INFO SortOperator - maxmem = 209715200
09-25-2018 06:17:18.580 INFO DispatchThread - SrchOptMetrics reparse_optimized_query=1
09-25-2018 06:17:18.580 INFO TsidxStats - Using a chunk size of 10000000
09-25-2018 06:17:18.582 INFO TsidxStats - Initial expanded filtering search: '( nodename=Nmon_Config )'
09-25-2018 06:17:18.582 INFO TsidxStats - Finalized TimeBounds: final_et=1537250400.000000 final_lt=1537856238.000000 info.startTime=1537250400.000000 info.endTime=1537856238.000000
09-25-2018 06:17:18.582 INFO TsidxStats - Using summaryid="57E9834B-43B4-41D0-A3BD-042A352C4C79_DM_nmon_NMON_Config"
09-25-2018 06:17:18.582 INFO SortOperator - maxmem = 209715200
09-25-2018 06:17:18.582 INFO TsidxStats - Could not obtain a valid set of indexes to search
09-25-2018 06:17:18.582 INFO SortOperator - maxmem = 209715200
09-25-2018 06:17:18.582 INFO SearchParser - PARSING: prestats dedup_splitvals=t distinct_count("Nmon_Config.hostname") last("Nmon_Config.AIX_Machine_SerialNumber") by "Nmon_Config.hostname"
09-25-2018 06:17:18.582 INFO SearchParser - PARSING: addinfo type=count label=prereport_events
09-25-2018 06:17:18.582 INFO SearchParser - PARSING: presort 0 auto("Nmon_Config.hostname")
09-25-2018 06:17:18.582 INFO SortOperator - maxmem = 209715200
09-25-2018 06:17:18.582 INFO StatsProcessor - No group-by fields specified, incompatible for high cardinality improvements
09-25-2018 06:17:18.582 INFO DispatchThread - BatchMode: allowBatchMode: 1, conf(1): 1, timeline/Status buckets(0):0, realtime(0):0, report pipe empty(0):0, reqTimeOrder(0):0, summarize(0):0, statefulStreaming(0):0
09-25-2018 06:17:18.582 INFO DispatchThread - required fields list to add to remote search = Nmon_Config.AIX_Machine_SerialNumber,Nmon_Config.hostname,prestats_reserved
,psrsvd_
09-25-2018 06:17:18.582 INFO SearchParser - PARSING: fields keepcolorder=t "Nmon_Config.AIX_Machine_SerialNumber" "Nmon_Config.hostname" "prestats_reserved_" "psrsvd_"
09-25-2018 06:17:18.582 INFO DispatchCommandProcessor - summaryHash=513a3eee1f1aac4d summaryId=57E9834B-43B4-41D0-A3BD-042A352C4C79_nmon_admin_513a3eee1f1aac4d remoteSearch=tstats last(Nmon_Config.AIX_Machine_SerialNumber) AS AIX_Machine_SerialNumber dc(Nmon_Config.hostname) AS dcount from datamodel=NMON_Config where (nodename = Nmon_Config) groupby Nmon_Config.hostname prestats=true | addinfo type=count label=prereport_events | fields keepcolorder=t "Nmon_Config.AIX_Machine_SerialNumber" "Nmon_Config.hostname" "prestats_reserved_" "psrsvd_" | prestats dedup_splitvals=t distinct_count("Nmon_Config.hostname") last("Nmon_Config.AIX_Machine_SerialNumber") by "Nmon_Config.hostname"
09-25-2018 06:17:18.583 INFO DispatchCommandProcessor - summaryHash=NS98be7406deb91d6f summaryId=57E9834B-43B4-41D0-A3BD-042A352C4C79_nmon_admin_NS98be7406deb91d6f remoteSearch=tstats last(Nmon_Config.AIX_Machine_SerialNumber) AS AIX_Machine_SerialNumber dc(Nmon_Config.hostname) AS dcount from datamodel=NMON_Config where (nodename = Nmon_Config) groupby Nmon_Config.hostname prestats=true | addinfo type=count label=prereport_events | fields keepcolorder=t "Nmon_Config.AIX_Machine_SerialNumber" "Nmon_Config.hostname" "prestats_reserved_" "psrsvd_" | prestats dedup_splitvals=t distinct_count("Nmon_Config.hostname") last("Nmon_Config.AIX_Machine_SerialNumber") by "Nmon_Config.hostname"
09-25-2018 06:17:18.584 INFO DispatchThread - Setting summary_mode=NONE after optimization
09-25-2018 06:17:18.584 INFO DispatchThread - SrchOptMetrics FinalEval=4
09-25-2018 06:17:18.584 INFO UserManager - Setting user context: admin
09-25-2018 06:17:18.584 INFO UserManager - Done setting user context: admin -> admin
09-25-2018 06:17:18.585 INFO UserManager - Unwound user context: admin -> admin
09-25-2018 06:17:18.585 INFO DistributedSearchResultCollectionManager - Stream search: tstats last(Nmon_Config.AIX_Machine_SerialNumber) AS AIX_Machine_SerialNumber dc(Nmon_Config.hostname) AS dcount from datamodel=NMON_Config where (nodename = Nmon_Config) groupby Nmon_Config.hostname prestats=true | addinfo type=count label=prereport_events | fields keepcolorder=t "Nmon_Config.AIX_Machine_SerialNumber" "Nmon_Config.hostname" "prestats_reserved_" "psrsvd_" | prestats dedup_splitvals=t distinct_count("Nmon_Config.hostname") last("Nmon_Config.AIX_Machine_SerialNumber") by "Nmon_Config.hostname"
09-25-2018 06:17:18.585 INFO ExternalResultProvider - No external result providers are configured
09-25-2018 06:17:18.585 INFO DistributedSearchResultCollectionManager - ERP_FACTORY initialized, but zero external result provider, hence disabling isERPCollectionEnabled
09-25-2018 06:17:18.585 INFO DistributedSearchResultCollectionManager - Default search group:*
09-25-2018 06:17:18.585 INFO DistributedSearchResultCollectionManager - Connecting to peer DR-IX-1 connectAll 0 connectToSpecificPeer 1
09-25-2018 06:17:18.585 INFO DistributedSearchResultCollectionManager - Connecting to peer DR-IX-2 connectAll 0 connectToSpecificPeer 1
09-25-2018 06:17:18.585 INFO DistributedSearchResultCollectionManager - Connecting to peer NFT-IX-1 connectAll 0 connectToSpecificPeer 1
09-25-2018 06:17:18.585 INFO DistributedSearchResultCollectionManager - Connecting to peer NFT-IX-2 connectAll 0 connectToSpecificPeer 1
09-25-2018 06:17:18.585 INFO DistributedSearchResultCollectionManager - Connecting to peer PROD-IX-1 connectAll 0 connectToSpecificPeer 1
09-25-2018 06:17:18.585 INFO DistributedSearchResultCollectionManager - Connecting to peer PROD-IX-2 connectAll 0 connectToSpecificPeer 1
09-25-2018 06:17:18.585 INFO DistributedSearchResultCollectionManager - Connecting to peer PROD-SH-1 connectAll 0 connectToSpecificPeer 1
09-25-2018 06:17:18.586 INFO ServerConfig - Using REMOTE_SERVER_NAME=57E9834B-43B4-41D0-A3BD-042A352C4C79
09-25-2018 06:17:18.587 INFO KeyManagerLocalhost - Checking for localhost key pair
09-25-2018 06:17:18.587 INFO KeyManagerLocalhost - Public key already exists: /opt/splunk/etc/auth/distServerKeys/trusted.pem
09-25-2018 06:17:18.587 INFO KeyManagerLocalhost - Reading public key for localhost: /opt/splunk/etc/auth/distServerKeys/trusted.pem
09-25-2018 06:17:18.587 INFO KeyManagerLocalhost - Finished reading public key for localhost: /opt/splunk/etc/auth/distServerKeys/trusted.pem
09-25-2018 06:17:18.587 INFO KeyManagerLocalhost - Reading private key for localhost: /opt/splunk/etc/auth/distServerKeys/private.pem
09-25-2018 06:17:18.587 INFO KeyManagerLocalhost - Finished reading private key for localhost: /opt/splunk/etc/auth/distServerKeys/private.pem
09-25-2018 06:17:18.588 INFO DistributedSearchResultCollectionManager - Successfully created search result collector for peer=DR-IX-1 in 0.003 seconds
09-25-2018 06:17:18.590 INFO DistributedSearchResultCollectionManager - Successfully created search result collector for peer=DR-IX-2 in 0.003 seconds
09-25-2018 06:17:18.592 INFO DistributedSearchResultCollectionManager - Successfully created search result collector for peer=NFT-IX-1 in 0.003 seconds
09-25-2018 06:17:18.594 INFO DistributedSearchResultCollectionManager - Successfully created search result collector for peer=NFT-IX-2 in 0.003 seconds
09-25-2018 06:17:18.597 INFO DistributedSearchResultCollectionManager - Successfully created search result collector for peer=PROD-IX-1 in 0.003 seconds
09-25-2018 06:17:18.599 INFO DistributedSearchResultCollectionManager - Successfully created search result collector for peer=PROD-IX-2 in 0.003 seconds
09-25-2018 06:17:18.602 INFO UserManager - Setting user context: admin
09-25-2018 06:17:18.602 INFO UserManager - Done setting user context: NULL -> admin
09-25-2018 06:17:18.602 INFO UserManager - Setting user context: admin
09-25-2018 06:17:18.602 INFO UserManager - Done setting user context: NULL -> admin
09-25-2018 06:17:18.603 INFO UserManager - Setting user context: admin
09-25-2018 06:17:18.603 INFO UserManager - Done setting user context: NULL -> admin
09-25-2018 06:17:18.605 INFO UserManager - Setting user context: admin
09-25-2018 06:17:18.605 INFO UserManager - Done setting user context: NULL -> admin
09-25-2018 06:17:18.605 INFO DispatchThread - Disk quota = 10485760000
09-25-2018 06:17:18.606 INFO UserManager - Setting user context: admin
09-25-2018 06:17:18.606 INFO UserManager - Done setting user context: NULL -> admin
09-25-2018 06:17:18.608 INFO UserManager - Setting user context: admin
09-25-2018 06:17:18.608 INFO UserManager - Done setting user context: NULL -> admin
09-25-2018 06:17:18.608 INFO SearchParser - PARSING: tstats last(Nmon_Config.AIX_Machine_SerialNumber) AS AIX_Machine_SerialNumber dc(Nmon_Config.hostname) AS dcount from datamodel=NMON_Config where (nodename = Nmon_Config) groupby Nmon_Config.hostname prestats=true | addinfo type=count label=prereport_events | fields keepcolorder=t "Nmon_Config.AIX_Machine_SerialNumber" "Nmon_Config.hostname" "prestats_reserved
" "psrsvd_" | prestats dedup_splitvals=t distinct_count("Nmon_Config.hostname") last("Nmon_Config.AIX_Machine_SerialNumber") by "Nmon_Config.hostname"
09-25-2018 06:17:18.609 INFO TsidxStats - Using a chunk size of 10000000
09-25-2018 06:17:18.609 INFO TsidxStats - Initial expanded filtering search: '( nodename=Nmon_Config )'
09-25-2018 06:17:18.609 INFO TsidxStats - Using summaryid="57E9834B-43B4-41D0-A3BD-042A352C4C79_DM_nmon_NMON_Config"
09-25-2018 06:17:18.609 INFO SearchParser - PARSING: search (index=* OR index=) (eventtype=nmon:config) | eval nodename = "Nmon_Config"| rex field=_raw "(?i),host,(?P.+)" max_match=1 | rex field=_raw "(?i),version,(?P.+)" max_match=1 | rex field=_raw "(?i),command,(?P.+)" max_match=1 | rex field=_raw "(?i),OS,(?P[^,]+)" max_match=1 | rex field=_raw "AAA,cpus,(?P\d+)" max_match=1 | rex field=_raw "AAA,cpus,\d+,(?P\d+)" max_match=1 | rex field=_raw "AAA,AIX,(?P.+)" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lparstat.+,\\"Online\sVirtual\sCPUs\s+\:\s(?P\d+)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,online\sMemory,(?P\d+)" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lsconf,\\"\s+Total\sPaging\sSpace:\s(?P\d+)" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lsconf,\\"Processor\sImplementation\sMode:\s(?P.+\w)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lsconf,\\"Processor\sClock\sSpeed:\s(?P.+\w)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lsconf,\\"CPU\sType:\s(?P.+\w)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lsconf,\\"Kernel\sType:\s(?P.+\w)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lsconf,\\"Platform\sFirmware\slevel:\s(?P.+\w)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lsconf,\\"Machine\sSerial\sNumber:\s(?P.+)\\"" max_match=1 | rex field=_raw "AAA,SerialNumber,(?P\w+)" max_match=1 | eval AIX_Machine_SerialNumber=if(isnotnull(AIX_std_Machine_SerialNumber), AIX_std_Machine_SerialNumber, AIX_alt_Machine_SerialNumber) | rex field=_raw "BBB.+,[0-9].+,lparstat.+,\\"Shared\sPool\sID\s+\:\s(?P.+)\\"" max_match=1 | eval AIX_PoolID=if(AIX_extracted_PoolID=="-","N/A" ,AIX_extracted_PoolID) | rex field=_raw "BBB.+,[0-9].+,lparstat.+,\\"Maximum\sPhysical\sCPUs\sin\ssystem\s+\:\s(?P.+)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lparstat.+,\\"Active\sPhysical\sCPUs\sin\ssystem\s+\:\s(?P.+)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lparstat.+,\\"Active\sCPUs\sin\sPool\s+\:\s(?P.+)\\"" max_match=1 | eval AIX_PoolCPUs=if(AIX_extracted_PoolCPUs=="-","N/A" ,AIX_extracted_PoolCPUs) | rex field=_raw "BBB.+,[0-9].+,lparstat.+,\\"Entitled\sCapacity\s+\:\s(?P.+)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lsconf,\\"Processor\sType:\s(?P.+\w)\\"" max_match=1 | eval cpu_cores_combo=(AIX_virtualcpus+" / "+cpu_cores_position2), AIX_logicalcores=if(isnotnull(cpu_cores_position2), cpu_cores_position2, cpu_cores_position1) | rex field=_raw "AAA,OS,Linux,(?P.+)" max_match=1 | rex field=_raw "BBB.+,[0-9].+cpuinfo,.+model\sname.+:\s+(?P.+)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,.+etc+.release,\\"(?!LSB_VERSION|DISTRIB|NAME|ID|VERSION)(?P.+)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lsb_release,\\"Description:\s(?.+)\\"" max_match=1 | eval Linux_distribution=if(isnotnull(Linux_lsb_distribution), Linux_lsb_distribution, Linux_release_distribution) | rex field=_raw "BBB.+,[0-9].+,lsb_release,\\"Distributor\s*ID:\s*(?.+)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lsb_release,\\"Release:\s*(?.+)\\"" max_match=1 | eval Linux_vendor=if(isnotnull(Linux_lsb_distibutorid), Linux_lsb_distibutorid, "Undeterminated") | rex field=_raw "BBB.+,[0-9].+,lsb\_release,\\"Release:\s+(?P.+)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,.proc.meminfo,\\"MemTotal:\s+(?P\d+)" max_match=1 | eval Linux_memory_MB=round(Linux_memory_kB/1024,0) | rex field=_raw "BBB.+,[0-9].+,.proc.meminfo,\\"SwapTotal:\s+(?P\d+)" max_match=1 | eval Linux_swap_MB=round(Linux_swap_kB/1024,0) | rex field=_raw "AAA,OS,Linux,(?P\d+.\d+).+,#" max_match=1 | rex field=_raw "AAA,OS,Linux,(?P.+),#" max_match=1 | rex field=_raw "AAA,OS,Linux,(?P.+)" max_match=1 | rex field=_raw "AAA,OS,Solaris,(?P.+)" max_match=1 | rex field=_raw "AAA,OS,Solaris,.+,(?P.+),.+,.+" max_match=1 | rex field=_raw "AAA,OS,Solaris,(?P.+),.+,.+,.+" max_match=1 | rex field=_raw "BBB.+,[0-9].+,.+etc+.release,\\"\s+(?P.+)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+psrinfo\s\-pv,\\"\s+(?P.+)\s*\(.+\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+psrinfo\s\-pv,.+clock\s(?P.+)\)\\"" max_match=1 | eval OStype=case(OS == "Linux", "Linux", OS == "Solaris", "Solaris", isnotnull(AIX_LEVEL), "AIX", isnull(OS), "Unknown"), OS_Level=case(isnotnull(AIX_LEVEL), AIX_LEVEL, isnotnull(Solaris_version), Solaris_version, isnotnull(Linux_distribution), Linux_distribution), cpu_cores=if(isnotnull(AIX_virtualcpus), cpu_cores_combo, cpu_cores_position1), Processor=case(isnotnull(AIX_processor), AIX_processor, isnotnull(Solaris_processor), Solaris_processor, isnotnull(Linux_processor), Linux_processor) | rename uptime AS Nmon_Config.uptime hostname AS Nmon_Config.hostname nmon_version AS Nmon_Config.nmon_version nmon_command AS Nmon_Config.nmon_command OS AS Nmon_Config.OS cpu_cores_position1 AS Nmon_Config.cpu_cores_position1 cpu_cores_position2 AS Nmon_Config.cpu_cores_position2 AIX_LEVEL AS Nmon_Config.AIX_LEVEL AIX_virtualcpus AS Nmon_Config.AIX_virtualcpus AIX_memory_MB AS Nmon_Config.AIX_memory_MB AIX_pagingspace_MB AS Nmon_Config.AIX_pagingspace_MB AIX_processor_mode AS Nmon_Config.AIX_processor_mode AIX_processor_clockspeed AS Nmon_Config.AIX_processor_clockspeed AIX_cpu_type AS Nmon_Config.AIX_cpu_type AIX_kernel_type AS Nmon_Config.AIX_kernel_type AIX_plateform_firmware_level AS Nmon_Config.AIX_plateform_firmware_level AIX_std_Machine_SerialNumber AS Nmon_Config.AIX_std_Machine_SerialNumber AIX_alt_Machine_SerialNumber AS Nmon_Config.AIX_alt_Machine_SerialNumber AIX_Machine_SerialNumber AS Nmon_Config.AIX_Machine_SerialNumber AIX_extracted_PoolID AS Nmon_Config.AIX_extracted_PoolID AIX_PoolID AS Nmon_Config.AIX_PoolID AIX_system_installed_CPUs AS Nmon_Config.AIX_system_installed_CPUs AIX_system_active_CPUs AS Nmon_Config.AIX_system_active_CPUs AIX_extracted_PoolCPUs AS Nmon_Config.AIX_extracted_PoolCPUs AIX_PoolCPUs AS Nmon_Config.AIX_PoolCPUs AIX_entitled AS Nmon_Config.AIX_entitled AIX_processor AS Nmon_Config.AIX_processor cpu_cores_combo AS Nmon_Config.cpu_cores_combo AIX_logicalcores AS Nmon_Config.AIX_logicalcores Linux_LEVEL AS Nmon_Config.Linux_LEVEL Linux_processor AS Nmon_Config.Linux_processor Linux_release_distribution AS Nmon_Config.Linux_release_distribution Linux_lsb_distribution AS Nmon_Config.Linux_lsb_distribution Linux_distribution AS Nmon_Config.Linux_distribution Linux_lsb_distibutorid AS Nmon_Config.Linux_lsb_distibutorid Linux_lsb_releaseid AS Nmon_Config.Linux_lsb_releaseid Linux_vendor AS Nmon_Config.Linux_vendor Linux_version AS Nmon_Config.Linux_version Linux_memory_kB AS Nmon_Config.Linux_memory_kB Linux_memory_MB AS Nmon_Config.Linux_memory_MB Linux_swap_kB AS Nmon_Config.Linux_swap_kB Linux_swap_MB AS Nmon_Config.Linux_swap_MB Linux_kernelversion AS Nmon_Config.Linux_kernelversion Linux_kernel AS Nmon_Config.Linux_kernel Linux_fullkernel AS Nmon_Config.Linux_fullkernel Solaris_LEVEL AS Nmon_Config.Solaris_LEVEL Solaris_kernel AS Nmon_Config.Solaris_kernel Solaris_sunOS_version AS Nmon_Config.Solaris_sunOS_version Solaris_version AS Nmon_Config.Solaris_version Solaris_processor AS Nmon_Config.Solaris_processor Solaris_processor_clockspeed AS Nmon_Config.Solaris_processor_clockspeed OStype AS Nmon_Config.OStype OS_Level AS Nmon_Config.OS_Level cpu_cores AS Nmon_Config.cpu_cores Processor AS Nmon_Config.Processor | search ( nodename=Nmon_Config )
09-25-2018 06:17:18.610 INFO UnifiedSearch - Processed search targeting arguments
09-25-2018 06:17:18.637 INFO UnifiedSearch - Processed search targeting arguments
09-25-2018 06:17:18.638 INFO DispatchThread - SrchOptMetrics optimize_toJson=29
09-25-2018 06:17:18.639 INFO ProjElim - Black listed processors=[addinfo]
09-25-2018 06:17:18.639 INFO PredicatePushOptimizer - searchcannot be pushed through eval. Reason='nodename' is modified (Ref:'nodename')
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.AIX_LEVEL will be rewritten to Field=AIX_LEVEL
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.AIX_Machine_SerialNumber will be rewritten to Field=AIX_Machine_SerialNumber
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.AIX_PoolCPUs will be rewritten to Field=AIX_PoolCPUs
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.AIX_PoolID will be rewritten to Field=AIX_PoolID
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.AIX_alt_Machine_SerialNumber will be rewritten to Field=AIX_alt_Machine_SerialNumber
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.AIX_cpu_type will be rewritten to Field=AIX_cpu_type
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.AIX_entitled will be rewritten to Field=AIX_entitled
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.AIX_extracted_PoolCPUs will be rewritten to Field=AIX_extracted_PoolCPUs
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.AIX_extracted_PoolID will be rewritten to Field=AIX_extracted_PoolID
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.AIX_kernel_type will be rewritten to Field=AIX_kernel_type
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.AIX_logicalcores will be rewritten to Field=AIX_logicalcores
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.AIX_memory_MB will be rewritten to Field=AIX_memory_MB
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.AIX_pagingspace_MB will be rewritten to Field=AIX_pagingspace_MB
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.AIX_plateform_firmware_level will be rewritten to Field=AIX_plateform_firmware_level
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.AIX_processor will be rewritten to Field=AIX_processor
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.AIX_processor_clockspeed will be rewritten to Field=AIX_processor_clockspeed
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.AIX_processor_mode will be rewritten to Field=AIX_processor_mode
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.AIX_std_Machine_SerialNumber will be rewritten to Field=AIX_std_Machine_SerialNumber
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.AIX_system_active_CPUs will be rewritten to Field=AIX_system_active_CPUs
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.AIX_system_installed_CPUs will be rewritten to Field=AIX_system_installed_CPUs
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.AIX_virtualcpus will be rewritten to Field=AIX_virtualcpus
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.Linux_LEVEL will be rewritten to Field=Linux_LEVEL
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.Linux_distribution will be rewritten to Field=Linux_distribution
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.Linux_fullkernel will be rewritten to Field=Linux_fullkernel
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.Linux_kernel will be rewritten to Field=Linux_kernel
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.Linux_kernelversion will be rewritten to Field=Linux_kernelversion
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.Linux_lsb_distibutorid will be rewritten to Field=Linux_lsb_distibutorid
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.Linux_lsb_distribution will be rewritten to Field=Linux_lsb_distribution
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.Linux_lsb_releaseid will be rewritten to Field=Linux_lsb_releaseid
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.Linux_memory_MB will be rewritten to Field=Linux_memory_MB
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.Linux_memory_kB will be rewritten to Field=Linux_memory_kB
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.Linux_processor will be rewritten to Field=Linux_processor
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.Linux_release_distribution will be rewritten to Field=Linux_release_distribution
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.Linux_swap_MB will be rewritten to Field=Linux_swap_MB
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.Linux_swap_kB will be rewritten to Field=Linux_swap_kB
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.Linux_vendor will be rewritten to Field=Linux_vendor
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.Linux_version will be rewritten to Field=Linux_version
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.OS will be rewritten to Field=OS
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.OS_Level will be rewritten to Field=OS_Level
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.OStype will be rewritten to Field=OStype
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.Processor will be rewritten to Field=Processor
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.Solaris_LEVEL will be rewritten to Field=Solaris_LEVEL
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.Solaris_kernel will be rewritten to Field=Solaris_kernel
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.Solaris_processor will be rewritten to Field=Solaris_processor
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.Solaris_processor_clockspeed will be rewritten to Field=Solaris_processor_clockspeed
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.Solaris_sunOS_version will be rewritten to Field=Solaris_sunOS_version
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.Solaris_version will be rewritten to Field=Solaris_version
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.cpu_cores will be rewritten to Field=cpu_cores
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.cpu_cores_combo will be rewritten to Field=cpu_cores_combo
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.cpu_cores_position1 will be rewritten to Field=cpu_cores_position1
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.cpu_cores_position2 will be rewritten to Field=cpu_cores_position2
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.hostname will be rewritten to Field=hostname
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.nmon_command will be rewritten to Field=nmon_command
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.nmon_version will be rewritten to Field=nmon_version
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.uptime will be rewritten to Field=uptime
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.AIX_LEVEL will be rewritten to Field=AIX_LEVEL
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.AIX_Machine_SerialNumber will be rewritten to Field=AIX_Machine_SerialNumber
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.AIX_PoolCPUs will be rewritten to Field=AIX_PoolCPUs
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.AIX_PoolID will be rewritten to Field=AIX_PoolID
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.AIX_alt_Machine_SerialNumber will be rewritten to Field=AIX_alt_Machine_SerialNumber
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.AIX_cpu_type will be rewritten to Field=AIX_cpu_type
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.AIX_entitled will be rewritten to Field=AIX_entitled
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.AIX_extracted_PoolCPUs will be rewritten to Field=AIX_extracted_PoolCPUs
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.AIX_extracted_PoolID will be rewritten to Field=AIX_extracted_PoolID
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.AIX_kernel_type will be rewritten to Field=AIX_kernel_type
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.AIX_logicalcores will be rewritten to Field=AIX_logicalcores
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.AIX_memory_MB will be rewritten to Field=AIX_memory_MB
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.AIX_pagingspace_MB will be rewritten to Field=AIX_pagingspace_MB
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.AIX_plateform_firmware_level will be rewritten to Field=AIX_plateform_firmware_level
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.AIX_processor will be rewritten to Field=AIX_processor
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.AIX_processor_clockspeed will be rewritten to Field=AIX_processor_clockspeed
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.AIX_processor_mode will be rewritten to Field=AIX_processor_mode
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.AIX_std_Machine_SerialNumber will be rewritten to Field=AIX_std_Machine_SerialNumber
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.AIX_system_active_CPUs will be rewritten to Field=AIX_system_active_CPUs
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.AIX_system_installed_CPUs will be rewritten to Field=AIX_system_installed_CPUs
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.AIX_virtualcpus will be rewritten to Field=AIX_virtualcpus
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.Linux_LEVEL will be rewritten to Field=Linux_LEVEL
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.Linux_distribution will be rewritten to Field=Linux_distribution
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.Linux_fullkernel will be rewritten to Field=Linux_fullkernel
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.Linux_kernel will be rewritten to Field=Linux_kernel
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.Linux_kernelversion will be rewritten to Field=Linux_kernelversion
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.Linux_lsb_distibutorid will be rewritten to Field=Linux_lsb_distibutorid
09-25-2018 06:17:18.639 INFO AstVisitorFactory - Field=Nmon_Config.Linux_lsb_distribution will be rewritten to Field=Linux_lsb_distribution
09-25-2018 06:17:18.640 INFO AstVisitorFactory - Field=Nmon_Config.Linux_lsb_releaseid will be rewritten to Field=Linux_lsb_releaseid
09-25-2018 06:17:18.640 INFO AstVisitorFactory - Field=Nmon_Config.Linux_memory_MB will be rewritten to Field=Linux_memory_MB
09-25-2018 06:17:18.640 INFO AstVisitorFactory - Field=Nmon_Config.Linux_memory_kB will be rewritten to Field=Linux_memory_kB
09-25-2018 06:17:18.640 INFO AstVisitorFactory - Field=Nmon_Config.Linux_processor will be rewritten to Field=Linux_processor
09-25-2018 06:17:18.640 INFO AstVisitorFactory - Field=Nmon_Config.Linux_release_distribution will be rewritten to Field=Linux_release_distribution
09-25-2018 06:17:18.640 INFO AstVisitorFactory - Field=Nmon_Config.Linux_swap_MB will be rewritten to Field=Linux_swap_MB
09-25-2018 06:17:18.640 INFO AstVisitorFactory - Field=Nmon_Config.Linux_swap_kB will be rewritten to Field=Linux_swap_kB
09-25-2018 06:17:18.640 INFO AstVisitorFactory - Field=Nmon_Config.Linux_vendor will be rewritten to Field=Linux_vendor
09-25-2018 06:17:18.640 INFO AstVisitorFactory - Field=Nmon_Config.Linux_version will be rewritten to Field=Linux_version
09-25-2018 06:17:18.640 INFO AstVisitorFactory - Field=Nmon_Config.OS will be rewritten to Field=OS
09-25-2018 06:17:18.640 INFO AstVisitorFactory - Field=Nmon_Config.OS_Level will be rewritten to Field=OS_Level
09-25-2018 06:17:18.640 INFO AstVisitorFactory - Field=Nmon_Config.OStype will be rewritten to Field=OStype
09-25-2018 06:17:18.640 INFO AstVisitorFactory - Field=Nmon_Config.Processor will be rewritten to Field=Processor
09-25-2018 06:17:18.640 INFO AstVisitorFactory - Field=Nmon_Config.Solaris_LEVEL will be rewritten to Field=Solaris_LEVEL
09-25-2018 06:17:18.640 INFO AstVisitorFactory - Field=Nmon_Config.Solaris_kernel will be rewritten to Field=Solaris_kernel
09-25-2018 06:17:18.640 INFO AstVisitorFactory - Field=Nmon_Config.Solaris_processor will be rewritten to Field=Solaris_processor
09-25-2018 06:17:18.640 INFO AstVisitorFactory - Field=Nmon_Config.Solaris_processor_clockspeed will be rewritten to Field=Solaris_processor_clockspeed
09-25-2018 06:17:18.640 INFO AstVisitorFactory - Field=Nmon_Config.Solaris_sunOS_version will be rewritten to Field=Solaris_sunOS_version
09-25-2018 06:17:18.640 INFO AstVisitorFactory - Field=Nmon_Config.Solaris_version will be rewritten to Field=Solaris_version
09-25-2018 06:17:18.640 INFO AstVisitorFactory - Field=Nmon_Config.cpu_cores will be rewritten to Field=cpu_cores
09-25-2018 06:17:18.640 INFO AstVisitorFactory - Field=Nmon_Config.cpu_cores_combo will be rewritten to Field=cpu_cores_combo
09-25-2018 06:17:18.640 INFO AstVisitorFactory - Field=Nmon_Config.cpu_cores_position1 will be rewritten to Field=cpu_cores_position1
09-25-2018 06:17:18.640 INFO AstVisitorFactory - Field=Nmon_Config.cpu_cores_position2 will be rewritten to Field=cpu_cores_position2
09-25-2018 06:17:18.640 INFO AstVisitorFactory - Field=Nmon_Config.hostname will be rewritten to Field=hostname
09-25-2018 06:17:18.640 INFO AstVisitorFactory - Field=Nmon_Config.nmon_command will be rewritten to Field=nmon_command
09-25-2018 06:17:18.640 INFO AstVisitorFactory - Field=Nmon_Config.nmon_version will be rewritten to Field=nmon_version
09-25-2018 06:17:18.640 INFO AstVisitorFactory - Field=Nmon_Config.uptime will be rewritten to Field=uptime
09-25-2018 06:17:18.640 INFO DispatchThread - SrchOptMetrics optimization=3
09-25-2018 06:17:18.640 INFO SearchPipeline - Command='search' doesnt have raw field
09-25-2018 06:17:18.642 INFO SearchPipeline - Command='eval' doesnt have raw field
09-25-2018 06:17:18.642 INFO SearchPipeline - Command='search' doesnt have raw field
09-25-2018 06:17:18.642 INFO SearchPipeline - Command='eval' doesnt have raw field
09-25-2018 06:17:18.642 INFO SearchPipeline - Command='eval' doesnt have raw field
09-25-2018 06:17:18.642 INFO SearchPipeline - Command='eval' doesnt have raw field
09-25-2018 06:17:18.642 INFO SearchPipeline - Command='eval' doesnt have raw field
09-25-2018 06:17:18.642 INFO SearchPipeline - Command='eval' doesnt have raw field
09-25-2018 06:17:18.642 INFO SearchPipeline - Command='eval' doesnt have raw field
09-25-2018 06:17:18.642 INFO SearchPipeline - Command='eval' doesnt have raw field
09-25-2018 06:17:18.642 INFO SearchPipeline - Command='eval' doesnt have raw field
09-25-2018 06:17:18.642 INFO SearchPipeline - Command='eval' doesnt have raw field
09-25-2018 06:17:18.642 INFO SearchPipeline - Command='rename' doesnt have raw field
09-25-2018 06:17:18.642 INFO DispatchThread - Optimized Search = | search (eventtype=nmon:config (index=* OR index=
)) | eval nodename="Nmon_Config"| search nodename=Nmon_Config | rex field=_raw "(?i),host,(?P.+)" max_match=1 | rex field=_raw "(?i),version,(?P.+)" max_match=1 | rex field=_raw "(?i),command,(?P.+)" max_match=1 | rex field=_raw "(?i),OS,(?P[^,]+)" max_match=1 | rex field=_raw "AAA,cpus,(?P\d+)" max_match=1 | rex field=_raw "AAA,cpus,\d+,(?P\d+)" max_match=1 | rex field=_raw "AAA,AIX,(?P.+)" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lparstat.+,\\"Online\sVirtual\sCPUs\s+\:\s(?P\d+)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,online\sMemory,(?P\d+)" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lsconf,\\"\s+Total\sPaging\sSpace:\s(?P\d+)" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lsconf,\\"Processor\sImplementation\sMode:\s(?P.+\w)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lsconf,\\"Processor\sClock\sSpeed:\s(?P.+\w)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lsconf,\\"CPU\sType:\s(?P.+\w)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lsconf,\\"Kernel\sType:\s(?P.+\w)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lsconf,\\"Platform\sFirmware\slevel:\s(?P.+\w)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lsconf,\\"Machine\sSerial\sNumber:\s(?P.+)\\"" max_match=1 | rex field=_raw "AAA,SerialNumber,(?P\w+)" max_match=1 | eval AIX_Machine_SerialNumber=if(isnotnull(AIX_std_Machine_SerialNumber),AIX_std_Machine_SerialNumber,AIX_alt_Machine_SerialNumber) | rex field=_raw "BBB.+,[0-9].+,lparstat.+,\\"Shared\sPool\sID\s+\:\s(?P.+)\\"" max_match=1 | eval AIX_PoolID=if((AIX_extracted_PoolID == "-"),"N/A",AIX_extracted_PoolID) | rex field=_raw "BBB.+,[0-9].+,lparstat.+,\\"Maximum\sPhysical\sCPUs\sin\ssystem\s+\:\s(?P.+)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lparstat.+,\\"Active\sPhysical\sCPUs\sin\ssystem\s+\:\s(?P.+)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lparstat.+,\\"Active\sCPUs\sin\sPool\s+\:\s(?P.+)\\"" max_match=1 | eval AIX_PoolCPUs=if((AIX_extracted_PoolCPUs == "-"),"N/A",AIX_extracted_PoolCPUs) | rex field=_raw "BBB.+,[0-9].+,lparstat.+,\\"Entitled\sCapacity\s+\:\s(?P.+)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lsconf,\\"Processor\sType:\s(?P.+\w)\\"" max_match=1 | eval cpu_cores_combo=((AIX_virtualcpus + " / ") + cpu_cores_position2), AIX_logicalcores=if(isnotnull(cpu_cores_position2),cpu_cores_position2,cpu_cores_position1) | rex field=_raw "AAA,OS,Linux,(?P.+)" max_match=1 | rex field=_raw "BBB.+,[0-9].+cpuinfo,.+model\sname.+:\s+(?P.+)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,.+etc+.release,\\"(?!LSB_VERSION|DISTRIB|NAME|ID|VERSION)(?P.+)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lsb_release,\\"Description:\s(?.+)\\"" max_match=1 | eval Linux_distribution=if(isnotnull(Linux_lsb_distribution),Linux_lsb_distribution,Linux_release_distribution) | rex field=raw "BBB.+,[0-9].+,lsb_release,\\"Distributor\s*ID:\s*(?.+)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lsb_release,\\"Release:\s*(?.+)\\"" max_match=1 | eval Linux_vendor=if(isnotnull(Linux_lsb_distibutorid),Linux_lsb_distibutorid,"Undeterminated") | rex field=_raw "BBB.+,[0-9].+,lsb\_release,\\"Release:\s+(?P.+)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,.proc.meminfo,\\"MemTotal:\s+(?P\d+)" max_match=1 | eval Linux_memory_MB=round((Linux_memory_kB / 1024),0) | rex field=_raw "BBB.+,[0-9].+,.proc.meminfo,\\"SwapTotal:\s+(?P\d+)" max_match=1 | eval Linux_swap_MB=round((Linux_swap_kB / 1024),0) | rex field=_raw "AAA,OS,Linux,(?P\d+.\d+).+,#" max_match=1 | rex field=_raw "AAA,OS,Linux,(?P.+),#" max_match=1 | rex field=_raw "AAA,OS,Linux,(?P.+)" max_match=1 | rex field=_raw "AAA,OS,Solaris,(?P.+)" max_match=1 | rex field=_raw "AAA,OS,Solaris,.+,(?P.+),.+,.+" max_match=1 | rex field=_raw "AAA,OS,Solaris,(?P.+),.+,.+,.+" max_match=1 | rex field=_raw "BBB.+,[0-9].+,.+etc+.release,\\"\s+(?P.+)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+psrinfo\s\-pv,\\"\s+(?P.+)\s*\(.+\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+psrinfo\s\-pv,.+clock\s(?P.+)\)\\"" max_match=1 | eval OStype=case((OS == "Linux"),"Linux",(OS == "Solaris"),"Solaris",isnotnull(AIX_LEVEL),"AIX",isnull(OS),"Unknown"), OS_Level=case(isnotnull(AIX_LEVEL),AIX_LEVEL,isnotnull(Solaris_version),Solaris_version,isnotnull(Linux_distribution),Linux_distribution), cpu_cores=if(isnotnull(AIX_virtualcpus),cpu_cores_combo,cpu_cores_position1), Processor=case(isnotnull(AIX_processor),AIX_processor,isnotnull(Solaris_processor),Solaris_processor,isnotnull(Linux_processor),Linux_processor) | rename AIX_LEVEL as "Nmon_Config.AIX_LEVEL", AIX_Machine_SerialNumber as "Nmon_Config.AIX_Machine_SerialNumber", AIX_PoolCPUs as "Nmon_Config.AIX_PoolCPUs", AIX_PoolID as "Nmon_Config.AIX_PoolID", AIX_alt_Machine_SerialNumber as "Nmon_Config.AIX_alt_Machine_SerialNumber", AIX_cpu_type as "Nmon_Config.AIX_cpu_type", AIX_entitled as "Nmon_Config.AIX_entitled", AIX_extracted_PoolCPUs as "Nmon_Config.AIX_extracted_PoolCPUs", AIX_extracted_PoolID as "Nmon_Config.AIX_extracted_PoolID", AIX_kernel_type as "Nmon_Config.AIX_kernel_type", AIX_logicalcores as "Nmon_Config.AIX_logicalcores", AIX_memory_MB as "Nmon_Config.AIX_memory_MB", AIX_pagingspace_MB as "Nmon_Config.AIX_pagingspace_MB", AIX_plateform_firmware_level as "Nmon_Config.AIX_plateform_firmware_level", AIX_processor as "Nmon_Config.AIX_processor", AIX_processor_clockspeed as "Nmon_Config.AIX_processor_clockspeed", AIX_processor_mode as "Nmon_Config.AIX_processor_mode", AIX_std_Machine_SerialNumber as "Nmon_Config.AIX_std_Machine_SerialNumber", AIX_system_active_CPUs as "Nmon_Config.AIX_system_active_CPUs", AIX_system_installed_CPUs as "Nmon_Config.AIX_system_installed_CPUs", AIX_virtualcpus as "Nmon_Config.AIX_virtualcpus", Linux_LEVEL as "Nmon_Config.Linux_LEVEL", Linux_distribution as "Nmon_Config.Linux_distribution", Linux_fullkernel as "Nmon_Config.Linux_fullkernel", Linux_kernel as "Nmon_Config.Linux_kernel", Linux_kernelversion as "Nmon_Config.Linux_kernelversion", Linux_lsb_distibutorid as "Nmon_Config.Linux_lsb_distibutorid", Linux_lsb_distribution as "Nmon_Config.Linux_lsb_distribution", Linux_lsb_releaseid as "Nmon_Config.Linux_lsb_releaseid", Linux_memory_MB as "Nmon_Config.Linux_memory_MB", Linux_memory_kB as "Nmon_Config.Linux_memory_kB", Linux_processor as "Nmon_Config.Linux_processor", Linux_release_distribution as "Nmon_Config.Linux_release_distribution", Linux_swap_MB as "Nmon_Config.Linux_swap_MB", Linux_swap_kB as "Nmon_Config.Linux_swap_kB", Linux_vendor as "Nmon_Config.Linux_vendor", Linux_version as "Nmon_Config.Linux_version", OS as "Nmon_Config.OS", OS_Level as "Nmon_Config.OS_Level", OStype as "Nmon_Config.OStype", Processor as "Nmon_Config.Processor", Solaris_LEVEL as "Nmon_Config.Solaris_LEVEL", Solaris_kernel as "Nmon_Config.Solaris_kernel", Solaris_processor as "Nmon_Config.Solaris_processor", Solaris_processor_clockspeed as "Nmon_Config.Solaris_processor_clockspeed", Solaris_sunOS_version as "Nmon_Config.Solaris_sunOS_version", Solaris_version as "Nmon_Config.Solaris_version", cpu_cores as "Nmon_Config.cpu_cores", cpu_cores_combo as "Nmon_Config.cpu_cores_combo", cpu_cores_position1 as "Nmon_Config.cpu_cores_position1", cpu_cores_position2 as "Nmon_Config.cpu_cores_position2", hostname as "Nmon_Config.hostname", nmon_command as "Nmon_Config.nmon_command", nmon_version as "Nmon_Config.nmon_version", uptime as "Nmon_Config.uptime"
09-25-2018 06:17:18.642 INFO DispatchThread - SrchOptMetrics fromJsontoSpl=2
09-25-2018 06:17:18.643 INFO SearchParser - PARSING: | search (eventtype=nmon:config (index=* OR index=
)) | eval nodename="Nmon_Config"| search nodename=Nmon_Config | rex field=_raw "(?i),host,(?P.+)" max_match=1 | rex field=_raw "(?i),version,(?P.+)" max_match=1 | rex field=_raw "(?i),command,(?P.+)" max_match=1 | rex field=_raw "(?i),OS,(?P[^,]+)" max_match=1 | rex field=_raw "AAA,cpus,(?P\d+)" max_match=1 | rex field=_raw "AAA,cpus,\d+,(?P\d+)" max_match=1 | rex field=_raw "AAA,AIX,(?P.+)" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lparstat.+,\\"Online\sVirtual\sCPUs\s+\:\s(?P\d+)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,online\sMemory,(?P\d+)" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lsconf,\\"\s+Total\sPaging\sSpace:\s(?P\d+)" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lsconf,\\"Processor\sImplementation\sMode:\s(?P.+\w)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lsconf,\\"Processor\sClock\sSpeed:\s(?P.+\w)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lsconf,\\"CPU\sType:\s(?P.+\w)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lsconf,\\"Kernel\sType:\s(?P.+\w)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lsconf,\\"Platform\sFirmware\slevel:\s(?P.+\w)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lsconf,\\"Machine\sSerial\sNumber:\s(?P.+)\\"" max_match=1 | rex field=_raw "AAA,SerialNumber,(?P\w+)" max_match=1 | eval AIX_Machine_SerialNumber=if(isnotnull(AIX_std_Machine_SerialNumber),AIX_std_Machine_SerialNumber,AIX_alt_Machine_SerialNumber) | rex field=_raw "BBB.+,[0-9].+,lparstat.+,\\"Shared\sPool\sID\s+\:\s(?P.+)\\"" max_match=1 | eval AIX_PoolID=if((AIX_extracted_PoolID == "-"),"N/A",AIX_extracted_PoolID) | rex field=_raw "BBB.+,[0-9].+,lparstat.+,\\"Maximum\sPhysical\sCPUs\sin\ssystem\s+\:\s(?P.+)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lparstat.+,\\"Active\sPhysical\sCPUs\sin\ssystem\s+\:\s(?P.+)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lparstat.+,\\"Active\sCPUs\sin\sPool\s+\:\s(?P.+)\\"" max_match=1 | eval AIX_PoolCPUs=if((AIX_extracted_PoolCPUs == "-"),"N/A",AIX_extracted_PoolCPUs) | rex field=_raw "BBB.+,[0-9].+,lparstat.+,\\"Entitled\sCapacity\s+\:\s(?P.+)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lsconf,\\"Processor\sType:\s(?P.+\w)\\"" max_match=1 | eval cpu_cores_combo=((AIX_virtualcpus + " / ") + cpu_cores_position2), AIX_logicalcores=if(isnotnull(cpu_cores_position2),cpu_cores_position2,cpu_cores_position1) | rex field=_raw "AAA,OS,Linux,(?P.+)" max_match=1 | rex field=_raw "BBB.+,[0-9].+cpuinfo,.+model\sname.+:\s+(?P.+)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,.+etc+.release,\\"(?!LSB_VERSION|DISTRIB|NAME|ID|VERSION)(?P.+)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lsb_release,\\"Description:\s(?.+)\\"" max_match=1 | eval Linux_distribution=if(isnotnull(Linux_lsb_distribution),Linux_lsb_distribution,Linux_release_distribution) | rex field=raw "BBB.+,[0-9].+,lsb_release,\\"Distributor\s*ID:\s*(?.+)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lsb_release,\\"Release:\s*(?.+)\\"" max_match=1 | eval Linux_vendor=if(isnotnull(Linux_lsb_distibutorid),Linux_lsb_distibutorid,"Undeterminated") | rex field=_raw "BBB.+,[0-9].+,lsb\_release,\\"Release:\s+(?P.+)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,.proc.meminfo,\\"MemTotal:\s+(?P\d+)" max_match=1 | eval Linux_memory_MB=round((Linux_memory_kB / 1024),0) | rex field=_raw "BBB.+,[0-9].+,.proc.meminfo,\\"SwapTotal:\s+(?P\d+)" max_match=1 | eval Linux_swap_MB=round((Linux_swap_kB / 1024),0) | rex field=_raw "AAA,OS,Linux,(?P\d+.\d+).+,#" max_match=1 | rex field=_raw "AAA,OS,Linux,(?P.+),#" max_match=1 | rex field=_raw "AAA,OS,Linux,(?P.+)" max_match=1 | rex field=_raw "AAA,OS,Solaris,(?P.+)" max_match=1 | rex field=_raw "AAA,OS,Solaris,.+,(?P.+),.+,.+" max_match=1 | rex field=_raw "AAA,OS,Solaris,(?P.+),.+,.+,.+" max_match=1 | rex field=_raw "BBB.+,[0-9].+,.+etc+.release,\\"\s+(?P.+)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+psrinfo\s\-pv,\\"\s+(?P.+)\s*\(.+\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+psrinfo\s\-pv,.+clock\s(?P.+)\)\\"" max_match=1 | eval OStype=case((OS == "Linux"),"Linux",(OS == "Solaris"),"Solaris",isnotnull(AIX_LEVEL),"AIX",isnull(OS),"Unknown"), OS_Level=case(isnotnull(AIX_LEVEL),AIX_LEVEL,isnotnull(Solaris_version),Solaris_version,isnotnull(Linux_distribution),Linux_distribution), cpu_cores=if(isnotnull(AIX_virtualcpus),cpu_cores_combo,cpu_cores_position1), Processor=case(isnotnull(AIX_processor),AIX_processor,isnotnull(Solaris_processor),Solaris_processor,isnotnull(Linux_processor),Linux_processor) | rename AIX_LEVEL as "Nmon_Config.AIX_LEVEL", AIX_Machine_SerialNumber as "Nmon_Config.AIX_Machine_SerialNumber", AIX_PoolCPUs as "Nmon_Config.AIX_PoolCPUs", AIX_PoolID as "Nmon_Config.AIX_PoolID", AIX_alt_Machine_SerialNumber as "Nmon_Config.AIX_alt_Machine_SerialNumber", AIX_cpu_type as "Nmon_Config.AIX_cpu_type", AIX_entitled as "Nmon_Config.AIX_entitled", AIX_extracted_PoolCPUs as "Nmon_Config.AIX_extracted_PoolCPUs", AIX_extracted_PoolID as "Nmon_Config.AIX_extracted_PoolID", AIX_kernel_type as "Nmon_Config.AIX_kernel_type", AIX_logicalcores as "Nmon_Config.AIX_logicalcores", AIX_memory_MB as "Nmon_Config.AIX_memory_MB", AIX_pagingspace_MB as "Nmon_Config.AIX_pagingspace_MB", AIX_plateform_firmware_level as "Nmon_Config.AIX_plateform_firmware_level", AIX_processor as "Nmon_Config.AIX_processor", AIX_processor_clockspeed as "Nmon_Config.AIX_processor_clockspeed", AIX_processor_mode as "Nmon_Config.AIX_processor_mode", AIX_std_Machine_SerialNumber as "Nmon_Config.AIX_std_Machine_SerialNumber", AIX_system_active_CPUs as "Nmon_Config.AIX_system_active_CPUs", AIX_system_installed_CPUs as "Nmon_Config.AIX_system_installed_CPUs", AIX_virtualcpus as "Nmon_Config.AIX_virtualcpus", Linux_LEVEL as "Nmon_Config.Linux_LEVEL", Linux_distribution as "Nmon_Config.Linux_distribution", Linux_fullkernel as "Nmon_Config.Linux_fullkernel", Linux_kernel as "Nmon_Config.Linux_kernel", Linux_kernelversion as "Nmon_Config.Linux_kernelversion", Linux_lsb_distibutorid as "Nmon_Config.Linux_lsb_distibutorid", Linux_lsb_distribution as "Nmon_Config.Linux_lsb_distribution", Linux_lsb_releaseid as "Nmon_Config.Linux_lsb_releaseid", Linux_memory_MB as "Nmon_Config.Linux_memory_MB", Linux_memory_kB as "Nmon_Config.Linux_memory_kB", Linux_processor as "Nmon_Config.Linux_processor", Linux_release_distribution as "Nmon_Config.Linux_release_distribution", Linux_swap_MB as "Nmon_Config.Linux_swap_MB", Linux_swap_kB as "Nmon_Config.Linux_swap_kB", Linux_vendor as "Nmon_Config.Linux_vendor", Linux_version as "Nmon_Config.Linux_version", OS as "Nmon_Config.OS", OS_Level as "Nmon_Config.OS_Level", OStype as "Nmon_Config.OStype", Processor as "Nmon_Config.Processor", Solaris_LEVEL as "Nmon_Config.Solaris_LEVEL", Solaris_kernel as "Nmon_Config.Solaris_kernel", Solaris_processor as "Nmon_Config.Solaris_processor", Solaris_processor_clockspeed as "Nmon_Config.Solaris_processor_clockspeed", Solaris_sunOS_version as "Nmon_Config.Solaris_sunOS_version", Solaris_version as "Nmon_Config.Solaris_version", cpu_cores as "Nmon_Config.cpu_cores", cpu_cores_combo as "Nmon_Config.cpu_cores_combo", cpu_cores_position1 as "Nmon_Config.cpu_cores_position1", cpu_cores_position2 as "Nmon_Config.cpu_cores_position2", hostname as "Nmon_Config.hostname", nmon_command as "Nmon_Config.nmon_command", nmon_version as "Nmon_Config.nmon_version", uptime as "Nmon_Config.uptime"
09-25-2018 06:17:18.662 INFO SearchProcessor - Building search filter
09-25-2018 06:17:18.693 INFO LookupOperator - Using wildcard matching for field 'host' in lookup table 'dropdownsLookup'
09-25-2018 06:17:18.693 INFO LookupOperator - Loading lookup table='dropdownsLookup', file size=2301, modtime=1537833607
09-25-2018 06:17:18.694 INFO LookupOperator - Loading lookup table='nix_endpoint_change_action_lookup', file size=186, modtime=1500632298
09-25-2018 06:17:18.694 INFO LookupOperator - Loading lookup table='nix_endpoint_change_fs_notification_object_category_lookup', file size=57, modtime=1500632298
09-25-2018 06:17:18.694 INFO LookupOperator - Loading lookup table='nix_action_lookup', file size=413, modtime=1500632298
09-25-2018 06:17:18.695 INFO LookupOperator - Loading lookup table='nmon_inventory', file size=0, modtime=1537855205
09-25-2018 06:17:18.695 INFO LookupOperator - Loading lookup table='ossec_action_lookup', file size=779, modtime=1500632289
09-25-2018 06:17:18.695 INFO LookupOperator - Loading lookup table='ossec_object_category_lookup', file size=217, modtime=1500632289
09-25-2018 06:17:18.695 INFO LookupOperator - Loading lookup table='ossec_severities_lookup', file size=180, modtime=1500632289
09-25-2018 06:17:18.696 INFO LookupOperator - Loading lookup table='rsa_securid_change_status_lookup', file size=54, modtime=1500632290
09-25-2018 06:17:18.696 INFO LookupOperator - Loading lookup table='rsa_securid_severity_lookup_lookup', file size=84, modtime=1500632290
09-25-2018 06:17:18.696 INFO LookupOperator - Loading lookup table='rsa_securid_actions_lookup', file size=137, modtime=1500632290
09-25-2018 06:17:18.698 INFO LookupOperator - Using wildcard matching for field 'category_id' in lookup table 'websense_categories_lookup'
09-25-2018 06:17:18.698 INFO LookupOperator - Loading lookup table='websense_categories_lookup', file size=6061, modtime=1500632291
09-25-2018 06:17:18.698 INFO LookupOperator - Loading lookup table='websense_action_lookup', file size=54, modtime=1500632291
09-25-2018 06:17:18.698 INFO LookupOperator - Using wildcard matching for field 'status' in lookup table 'websense_http_statuses_lookup'
09-25-2018 06:17:18.698 INFO LookupOperator - Loading lookup table='websense_http_statuses_lookup', file size=1355, modtime=1500632291
09-25-2018 06:17:18.699 INFO LookupOperator - Loading lookup table='websense_severity_lookup', file size=119, modtime=1500632291
09-25-2018 06:17:18.906 INFO UnifiedSearch - Expanded index search = (index=nmon sourcetype=nmon_config (index=* OR index=
))
09-25-2018 06:17:18.906 INFO UnifiedSearch - base lispy: [ AND index::nmon sourcetype::nmon_config [ OR index::
index::* ] ]
09-25-2018 06:17:18.908 INFO UserManager - Setting user context: admin
09-25-2018 06:17:18.908 INFO UserManager - Done setting user context: admin -> admin
09-25-2018 06:17:18.908 INFO FastSearchFilter - Finished initializing IndexScopedFilter - trivial=0, nTerms=0, oTerms=0, host=0, source=0, sourcetype=1, linecount=0 exactCustomCmp=0
09-25-2018 06:17:18.908 INFO UserManager - Unwound user context: admin -> admin
09-25-2018 06:17:18.908 INFO BatchSearch - Using Batch Search
09-25-2018 06:17:18.908 INFO BatchSearch - Clearing any DDM references
09-25-2018 06:17:18.908 INFO BatchSearch - index: nmon dbsize=0
09-25-2018 06:17:18.908 INFO UnifiedSearch - Initialization of search data structures took 3 ms
09-25-2018 06:17:18.909 INFO UnifiedSearch - Processed search targeting arguments
09-25-2018 06:17:18.909 INFO UnifiedSearch - Processed search targeting arguments
09-25-2018 06:17:18.910 INFO SearchParser - PARSING: litsearch (index=nmon sourcetype=nmon_config (index=* OR index=
)) | eval nodename="Nmon_Config" | search nodename=Nmon_Config | rex field=_raw "(?i),host,(?P.+)" max_match=1 | rex field=_raw "(?i),version,(?P.+)" max_match=1 | rex field=_raw "(?i),command,(?P.+)" max_match=1 | rex field=_raw "(?i),OS,(?P[^,]+)" max_match=1 | rex field=_raw "AAA,cpus,(?P\d+)" max_match=1 | rex field=_raw "AAA,cpus,\d+,(?P\d+)" max_match=1 | rex field=_raw "AAA,AIX,(?P.+)" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lparstat.+,\\"Online\sVirtual\sCPUs\s+\:\s(?P\d+)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,online\sMemory,(?P\d+)" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lsconf,\\"\s+Total\sPaging\sSpace:\s(?P\d+)" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lsconf,\\"Processor\sImplementation\sMode:\s(?P.+\w)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lsconf,\\"Processor\sClock\sSpeed:\s(?P.+\w)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lsconf,\\"CPU\sType:\s(?P.+\w)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lsconf,\\"Kernel\sType:\s(?P.+\w)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lsconf,\\"Platform\sFirmware\slevel:\s(?P.+\w)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lsconf,\\"Machine\sSerial\sNumber:\s(?P.+)\\"" max_match=1 | rex field=_raw "AAA,SerialNumber,(?P\w+)" max_match=1 | eval AIX_Machine_SerialNumber=if(isnotnull(AIX_std_Machine_SerialNumber),AIX_std_Machine_SerialNumber,AIX_alt_Machine_SerialNumber) | rex field=_raw "BBB.+,[0-9].+,lparstat.+,\\"Shared\sPool\sID\s+\:\s(?P.+)\\"" max_match=1 | eval AIX_PoolID=if((AIX_extracted_PoolID == "-"),"N/A",AIX_extracted_PoolID) | rex field=_raw "BBB.+,[0-9].+,lparstat.+,\\"Maximum\sPhysical\sCPUs\sin\ssystem\s+\:\s(?P.+)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lparstat.+,\\"Active\sPhysical\sCPUs\sin\ssystem\s+\:\s(?P.+)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lparstat.+,\\"Active\sCPUs\sin\sPool\s+\:\s(?P.+)\\"" max_match=1 | eval AIX_PoolCPUs=if((AIX_extracted_PoolCPUs == "-"),"N/A",AIX_extracted_PoolCPUs) | rex field=_raw "BBB.+,[0-9].+,lparstat.+,\\"Entitled\sCapacity\s+\:\s(?P.+)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lsconf,\\"Processor\sType:\s(?P.+\w)\\"" max_match=1 | eval cpu_cores_combo=((AIX_virtualcpus + " / ") + cpu_cores_position2), AIX_logicalcores=if(isnotnull(cpu_cores_position2),cpu_cores_position2,cpu_cores_position1) | rex field=_raw "AAA,OS,Linux,(?P.+)" max_match=1 | rex field=_raw "BBB.+,[0-9].+cpuinfo,.+model\sname.+:\s+(?P.+)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,.+etc+.release,\\"(?!LSB_VERSION|DISTRIB|NAME|ID|VERSION)(?P.+)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lsb_release,\\"Description:\s(?.+)\\"" max_match=1 | eval Linux_distribution=if(isnotnull(Linux_lsb_distribution),Linux_lsb_distribution,Linux_release_distribution) | rex field=raw "BBB.+,[0-9].+,lsb_release,\\"Distributor\s*ID:\s*(?.+)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lsb_release,\\"Release:\s*(?.+)\\"" max_match=1 | eval Linux_vendor=if(isnotnull(Linux_lsb_distibutorid),Linux_lsb_distibutorid,"Undeterminated") | rex field=_raw "BBB.+,[0-9].+,lsb\_release,\\"Release:\s+(?P.+)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,.proc.meminfo,\\"MemTotal:\s+(?P\d+)" max_match=1 | eval Linux_memory_MB=round((Linux_memory_kB / 1024),0) | rex field=_raw "BBB.+,[0-9].+,.proc.meminfo,\\"SwapTotal:\s+(?P\d+)" max_match=1 | eval Linux_swap_MB=round((Linux_swap_kB / 1024),0) | rex field=_raw "AAA,OS,Linux,(?P\d+.\d+).+,#" max_match=1 | rex field=_raw "AAA,OS,Linux,(?P.+),#" max_match=1 | rex field=_raw "AAA,OS,Linux,(?P.+)" max_match=1 | rex field=_raw "AAA,OS,Solaris,(?P.+)" max_match=1 | rex field=_raw "AAA,OS,Solaris,.+,(?P.+),.+,.+" max_match=1 | rex field=_raw "AAA,OS,Solaris,(?P.+),.+,.+,.+" max_match=1 | rex field=_raw "BBB.+,[0-9].+,.+etc+.release,\\"\s+(?P.+)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+psrinfo\s\-pv,\\"\s+(?P.+)\s*\(.+\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+psrinfo\s\-pv,.+clock\s(?P.+)\)\\"" max_match=1 | eval OStype=case((OS == "Linux"),"Linux",(OS == "Solaris"),"Solaris",isnotnull(AIX_LEVEL),"AIX",isnull(OS),"Unknown"), OS_Level=case(isnotnull(AIX_LEVEL),AIX_LEVEL,isnotnull(Solaris_version),Solaris_version,isnotnull(Linux_distribution),Linux_distribution), cpu_cores=if(isnotnull(AIX_virtualcpus),cpu_cores_combo,cpu_cores_position1), Processor=case(isnotnull(AIX_processor),AIX_processor,isnotnull(Solaris_processor),Solaris_processor,isnotnull(Linux_processor),Linux_processor) | rename AIX_LEVEL as "Nmon_Config.AIX_LEVEL", AIX_Machine_SerialNumber as "Nmon_Config.AIX_Machine_SerialNumber", AIX_PoolCPUs as "Nmon_Config.AIX_PoolCPUs", AIX_PoolID as "Nmon_Config.AIX_PoolID", AIX_alt_Machine_SerialNumber as "Nmon_Config.AIX_alt_Machine_SerialNumber", AIX_cpu_type as "Nmon_Config.AIX_cpu_type", AIX_entitled as "Nmon_Config.AIX_entitled", AIX_extracted_PoolCPUs as "Nmon_Config.AIX_extracted_PoolCPUs", AIX_extracted_PoolID as "Nmon_Config.AIX_extracted_PoolID", AIX_kernel_type as "Nmon_Config.AIX_kernel_type", AIX_logicalcores as "Nmon_Config.AIX_logicalcores", AIX_memory_MB as "Nmon_Config.AIX_memory_MB", AIX_pagingspace_MB as "Nmon_Config.AIX_pagingspace_MB", AIX_plateform_firmware_level as "Nmon_Config.AIX_plateform_firmware_level", AIX_processor as "Nmon_Config.AIX_processor", AIX_processor_clockspeed as "Nmon_Config.AIX_processor_clockspeed", AIX_processor_mode as "Nmon_Config.AIX_processor_mode", AIX_std_Machine_SerialNumber as "Nmon_Config.AIX_std_Machine_SerialNumber", AIX_system_active_CPUs as "Nmon_Config.AIX_system_active_CPUs", AIX_system_installed_CPUs as "Nmon_Config.AIX_system_installed_CPUs", AIX_virtualcpus as "Nmon_Config.AIX_virtualcpus", Linux_LEVEL as "Nmon_Config.Linux_LEVEL", Linux_distribution as "Nmon_Config.Linux_distribution", Linux_fullkernel as "Nmon_Config.Linux_fullkernel", Linux_kernel as "Nmon_Config.Linux_kernel", Linux_kernelversion as "Nmon_Config.Linux_kernelversion", Linux_lsb_distibutorid as "Nmon_Config.Linux_lsb_distibutorid", Linux_lsb_distribution as "Nmon_Config.Linux_lsb_distribution", Linux_lsb_releaseid as "Nmon_Config.Linux_lsb_releaseid", Linux_memory_MB as "Nmon_Config.Linux_memory_MB", Linux_memory_kB as "Nmon_Config.Linux_memory_kB", Linux_processor as "Nmon_Config.Linux_processor", Linux_release_distribution as "Nmon_Config.Linux_release_distribution", Linux_swap_MB as "Nmon_Config.Linux_swap_MB", Linux_swap_kB as "Nmon_Config.Linux_swap_kB", Linux_vendor as "Nmon_Config.Linux_vendor", Linux_version as "Nmon_Config.Linux_version", OS as "Nmon_Config.OS", OS_Level as "Nmon_Config.OS_Level", OStype as "Nmon_Config.OStype", Processor as "Nmon_Config.Processor", Solaris_LEVEL as "Nmon_Config.Solaris_LEVEL", Solaris_kernel as "Nmon_Config.Solaris_kernel", Solaris_processor as "Nmon_Config.Solaris_processor", Solaris_processor_clockspeed as "Nmon_Config.Solaris_processor_clockspeed", Solaris_sunOS_version as "Nmon_Config.Solaris_sunOS_version", Solaris_version as "Nmon_Config.Solaris_version", cpu_cores as "Nmon_Config.cpu_cores", cpu_cores_combo as "Nmon_Config.cpu_cores_combo", cpu_cores_position1 as "Nmon_Config.cpu_cores_position1", cpu_cores_position2 as "Nmon_Config.cpu_cores_position2", hostname as "Nmon_Config.hostname", nmon_command as "Nmon_Config.nmon_command", nmon_version as "Nmon_Config.nmon_version", uptime as "Nmon_Config.uptime"
09-25-2018 06:17:18.929 INFO LookupOperator - Using wildcard matching for field 'host' in lookup table 'dropdownsLookup'
09-25-2018 06:17:18.929 INFO LookupOperator - Loading lookup table='dropdownsLookup', file size=2301, modtime=1537833607
09-25-2018 06:17:18.930 INFO LookupOperator - Loading lookup table='nix_endpoint_change_action_lookup', file size=186, modtime=1500632298
09-25-2018 06:17:18.930 INFO LookupOperator - Loading lookup table='nix_endpoint_change_fs_notification_object_category_lookup', file size=57, modtime=1500632298
09-25-2018 06:17:18.930 INFO LookupOperator - Loading lookup table='nix_action_lookup', file size=413, modtime=1500632298
09-25-2018 06:17:18.931 INFO LookupOperator - Loading lookup table='nmon_inventory', file size=0, modtime=1537855205
09-25-2018 06:17:18.931 INFO LookupOperator - Loading lookup table='ossec_action_lookup', file size=779, modtime=1500632289
09-25-2018 06:17:18.931 INFO LookupOperator - Loading lookup table='ossec_object_category_lookup', file size=217, modtime=1500632289
09-25-2018 06:17:18.931 INFO LookupOperator - Loading lookup table='ossec_severities_lookup', file size=180, modtime=1500632289
09-25-2018 06:17:18.932 INFO LookupOperator - Loading lookup table='rsa_securid_change_status_lookup', file size=54, modtime=1500632290
09-25-2018 06:17:18.932 INFO LookupOperator - Loading lookup table='rsa_securid_severity_lookup_lookup', file size=84, modtime=1500632290
09-25-2018 06:17:18.932 INFO LookupOperator - Loading lookup table='rsa_securid_actions_lookup', file size=137, modtime=1500632290
09-25-2018 06:17:18.934 INFO LookupOperator - Using wildcard matching for field 'category_id' in lookup table 'websense_categories_lookup'
09-25-2018 06:17:18.934 INFO LookupOperator - Loading lookup table='websense_categories_lookup', file size=6061, modtime=1500632291
09-25-2018 06:17:18.934 INFO LookupOperator - Loading lookup table='websense_action_lookup', file size=54, modtime=1500632291
09-25-2018 06:17:18.934 INFO LookupOperator - Using wildcard matching for field 'status' in lookup table 'websense_http_statuses_lookup'
09-25-2018 06:17:18.934 INFO LookupOperator - Loading lookup table='websense_http_statuses_lookup', file size=1355, modtime=1500632291
09-25-2018 06:17:18.935 INFO LookupOperator - Loading lookup table='websense_severity_lookup', file size=119, modtime=1500632291
09-25-2018 06:17:18.937 INFO SearchParser - PARSING: typer | tags
09-25-2018 06:17:18.962 INFO FastTyper - found nodes count: comparisons=100, unique_comparisons=61, terms=4, unique_terms=4, phrases=12, unique_phrases=12, total leaves=116
09-25-2018 06:17:18.970 INFO UserManager - Setting user context: admin
09-25-2018 06:17:18.970 INFO UserManager - Done setting user context: admin -> admin
09-25-2018 06:17:18.970 INFO FastSearchFilter - Finished initializing IndexScopedFilter - trivial=0, nTerms=0, oTerms=0, host=0, source=0, sourcetype=1, linecount=0 exactCustomCmp=0
09-25-2018 06:17:18.970 INFO UserManager - Unwound user context: admin -> admin
09-25-2018 06:17:18.970 INFO BatchSearch - Using Batch Search
09-25-2018 06:17:18.970 INFO BatchSearch - Clearing any DDM references
09-25-2018 06:17:18.970 INFO BatchSearch - index: nmon dbsize=0
09-25-2018 06:17:18.970 INFO UnifiedSearch - Initialization of search data structures took 34 ms
09-25-2018 06:17:18.970 INFO UnifiedSearch - Processed search targeting arguments
09-25-2018 06:17:18.970 INFO UnifiedSearch - Processed search targeting arguments
09-25-2018 06:17:18.972 INFO SortOperator - maxmem = 209715200
09-25-2018 06:17:18.972 INFO TsidxStats - Getting buckets for index=nmon
09-25-2018 06:17:18.972 INFO TsidxStats - Using lispy:[ AND nodename::nmon_config ] query_et=1537250400 query_lt=1537856237 info._startTime=1537250400.000000 info._endTime=1537856238.000000
09-25-2018 06:17:18.972 INFO TsidxStats - Sorting 0 buckets in time descending order
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='(?::){0}*_app_logs' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='(?i)source::....zip(.\d+)?' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='127.0.0.1' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='ActiveDirectory' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='New Text Document-too_small' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='PerformanceMonitor' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='Unix:UserAccounts' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='WinNetMonMk' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='WinPrintMon' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='WinRegistry' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='WinWinHostMon' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='
singleline' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='_json' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='access_combined' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='access_combined_wcookie' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='access_common' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='alert_manager-7' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='alert_manager-too_small' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='alert_manager_controllers-too_small' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='alert_manager_eventhandler-too_small' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='alert_manager_incidentcontext-too_small' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='alert_manager_notifications-too_small' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='alert_manager_suppression_helper-2' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='alert_manager_suppression_helper-too_small' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='alert_metadata' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='alert_results' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='anaconda' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='anaconda_syslog' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='apache_error' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='asterisk_cdr' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='asterisk_event' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='asterisk_messages' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='asterisk_queue' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='backup_file' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='batch_scripts' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='breakable_text' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='catalina' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='checksplunk' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='cisco:asa' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='cisco_cdr' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='cisco_syslog' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='clavister' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='collectd_http' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='csv' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='cups_access' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='cups_error' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='db2_diag' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='default' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='delayedrule::breakable_text' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='delayedrule::syslog' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='django_access' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='django_error' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='django_service' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='dmesg' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='exchange' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='exim_main' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='exim_reject' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='export_metrics-too_small' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='fileTrackerCrcLog' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='first_install-too_small' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='nix_endpoint_change_action_lookup' for conf='fs_notification' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='fs_notification' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='nix_endpoint_change_fs_notification_object_category_lookup' for conf='fs_notification' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='ftp' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='generic_single_line' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='http_event_collector_metrics' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='ignored_type' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='iis' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='incident_change' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='jenkins-14' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='json_no_timestamp' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='known_binary' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='kvstore' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='lastlog' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='linux_audit' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='linux_bootlog' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='linux_messages_syslog' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='nix_action_lookup' for conf='linux_secure' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='linux_secure' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='log4j' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='log4net_xml' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='log4php' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='manpage' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='metrics_csv' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='middleware_app_logs' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='midtier_app_logs' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='misc_text' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='mobile_access' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='mongod' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='mysql_slow' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='mysqld' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='mysqld_bin' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='mysqld_error' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='nmon:fromsyslog' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='nmon_clean:fromsyslog' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='nmon_collect:fromsyslog' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='nmon_config' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='nmon_config:fromsyslog' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='nmon_inventory' for conf='nmon_data' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='nmon_data' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='nmon_data:fromsyslog' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='nmon_processing' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='nmon_processing:fromsyslog' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='novell_groupwise' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='openioc' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='oracletype' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='ossec_action_lookup' for conf='ossec' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='ossec' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='ossec_object_category_lookup' for conf='ossec' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='ossec_severities_lookup' for conf='ossec' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='osx_asl' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='osx_crash_log' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='osx_crashreporter' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='osx_daily' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='osx_install' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='osx_monthly' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='nix_action_lookup' for conf='osx_secure' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='osx_secure' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='osx_weekly' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='osx_window_server' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='paladin-too_small' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='pdfgen-2' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='pdfgen-too_small' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='postfix_syslog' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='preprocess-Z' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='preprocess-bzip' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='preprocess-gzip' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='preprocess-tar' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='preprocess-targz' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='preprocess-winevt' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='preprocess-zip' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='procmail' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='psv' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='python_modular_input-10' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='python_modular_input-11' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='python_modular_input-12' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='python_modular_input-13' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='python_modular_input-2' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='python_modular_input-3' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='python_modular_input-4' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='python_modular_input-5' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='python_modular_input-6' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='python_modular_input-7' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='python_modular_input-8' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='python_modular_input-9' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='python_modular_input-too_small' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='python_modular_input.log' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='python_modular_input.log-10' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='python_modular_input.log-2' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='python_modular_input.log-3' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='python_modular_input.log-4' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='python_modular_input.log-5' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='python_modular_input.log-6' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='python_modular_input.log-7' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='python_modular_input.log-8' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='python_modular_input.log-9' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='rpmpkgs' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='rsa_securid_change_status_lookup' for conf='rsa:securid:admin:syslog' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='rsa_securid_severity_lookup_lookup' for conf='rsa:securid:admin:syslog' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='rsa:securid:admin:syslog' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='rsa_securid_actions_lookup' for conf='rsa:securid:runtime:syslog' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='rsa_securid_change_status_lookup' for conf='rsa:securid:runtime:syslog' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='rsa_securid_severity_lookup_lookup' for conf='rsa:securid:runtime:syslog' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='rsa:securid:runtime:syslog' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='rsa:securid:syslog' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='rsa_securid_severity_lookup_lookup' for conf='rsa:securid:system:syslog' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='rsa:securid:system:syslog' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='ruby_on_rails' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='rule::access_combined' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='rule::access_combined_wcookie' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='rule::access_common' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='rule::exim_main' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='rule::postfix_syslog' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='rule::sendmail_syslog' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='rule::snort' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='sar' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='scHeadlinesHandler-too_small' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='scheduler' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='searches' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='sendmail_syslog' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='simontest' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='snort' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='source::(?:::){0}*invocationEvents.log' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='source::...((.(bak|old))|,v|~|#)' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='source::....(0t|a|ali|asa|au|bmp|cg|cgi|class|d|dat|deb|del|dot|dvi|dylib|elc|eps|exe|ftn|gif|hlp|hqx|hs|icns|ico|inc|iso|jame|jin|jpeg|jpg|kml|la|lhs|lib|lo|lock|mcp|mid|mp3|mpg|msf|nib|o|obj|odt|ogg|ook|opt|os|pal|pbm|pdf|pem|pgm|plo|png|po|pod|pp|ppd|ppm|ppt|prc|ps|psd|psym|pyc|pyd|rast|rb|rde|rdf|rdr|rgb|ro|rpm|rsrc|so|ss|stg|strings|tdt|tif|tiff|tk|uue|vhd|xbm|xlb|xls|xlw)' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='source::....(? NULL
09-25-2018 06:17:18.996 INFO UserManager - Setting user context: admin
09-25-2018 06:17:18.996 INFO UserManager - Done setting user context: NULL -> admin
09-25-2018 06:17:18.996 INFO UserManager - Unwound user context: admin -> NULL
09-25-2018 06:17:18.996 INFO UserManager - Unwound user context: admin -> NULL
09-25-2018 06:17:18.996 INFO UserManager - Unwound user context: admin -> NULL
09-25-2018 06:17:18.996 INFO UserManager - Unwound user context: admin -> NULL
09-25-2018 06:17:18.996 INFO UserManager - Unwound user context: admin -> NULL
09-25-2018 06:17:18.996 INFO UserManager - Unwound user context: admin -> NULL
09-25-2018 06:17:19.011 INFO UserManager - Unwound user context: admin -> NULL
09-25-2018 06:17:19.013 INFO UserManager - Setting user context: admin
09-25-2018 06:17:19.013 INFO UserManager - Done setting user context: NULL -> admin
09-25-2018 06:17:19.013 INFO UserManager - Unwound user context: admin -> NULL
09-25-2018 06:17:19.013 INFO DispatchManager - DispatchManager::dispatchHasFinished(id='admin
adminnmon_RMD50bf1c9c79bc13548_at_1537856238_13363_D23FC9B5-262E-422F-81CF-45B5F5C63769', username='admin')
09-25-2018 06:17:19.018 INFO UserManager - Unwound user context: admin -> NULL

Tags (1)
0 Karma

mstjohn_splunk
Splunk Employee
Splunk Employee

hi @venkat_16

Did the answer below help solve your problem? If so, please resolve approving it.
If your problem is still not solved, keep us updated so that someone else can help ya.
Thanks!

0 Karma

neelamsantosh
Path Finder

Couple of stuff to make suref:
1. both Search head and Indexer are on same version
2. Bundles are the one which are used everytime you hit the search/submit.
reduce ur bundle size by avoiding unnecessary files/lookups.
3. Disk space, clean the old saved searches which are in pipeline from dispatch.
restart the splunk services.

0 Karma

493669
Super Champion

Check if all your splunk servers are at same version...i.e. check each Indexer,SH and HF splunk version is same.

0 Karma

Venkat_16
Contributor

Yes all the splunk servers are running at 7.0.0.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...