its a distributed search head. Please find the below search.log information:
09-25-2018 06:17:18.345 INFO  dispatchRunner - Search process mode: preforked (first search in process) (build c8a78efdd40f).
09-25-2018 06:17:18.346 INFO  dispatchRunner - initing LicenseMgr in search process: nonPro=0
09-25-2018 06:17:18.346 INFO  LicenseMgr - Initing LicenseMgr
09-25-2018 06:17:18.346 INFO  LMConfig - serverName=PROD-SH-1 guid=D23FC9B5-262E-422F-81CF-45B5F5C63769
09-25-2018 06:17:18.349 INFO  LMConfig - connection_timeout=30
09-25-2018 06:17:18.349 INFO  LMConfig - send_timeout=30
09-25-2018 06:17:18.349 INFO  LMConfig - receive_timeout=30
09-25-2018 06:17:18.349 INFO  LMConfig - squash_threshold=2000
09-25-2018 06:17:18.349 INFO  LMConfig - strict_pool_quota=1
09-25-2018 06:17:18.349 INFO  LMConfig - key=pool_suggestion not found in licenser stanza of server.conf, defaulting=''
09-25-2018 06:17:18.349 INFO  LMConfig - key=test_aws_metering not found in licenser stanza of server.conf, defaulting=0
09-25-2018 06:17:18.349 INFO  LMConfig - key=test_aws_product_code not found in licenser stanza of server.conf, defaulting=0
09-25-2018 06:17:18.349 INFO  LicenseMgr - Initing LicenseMgr runContext_splunkd=false
09-25-2018 06:17:18.349 INFO  LMStackMgr - closing stack mgr
09-25-2018 06:17:18.349 INFO  LMSlaveInfo - all slaves cleared
09-25-2018 06:17:18.349 INFO  LMStackMgr - partial init only since node has remote master=https://10.33.9.9:8089
09-25-2018 06:17:18.349 INFO  LicenseMgr - StackMgr init complete...
09-25-2018 06:17:18.349 INFO  LMTracker - Setting default product type='enterprise'
09-25-2018 06:17:18.349 INFO  LMTracker - this is not splunkd, will perform partial init
09-25-2018 06:17:18.349 INFO  LMTracker - Setting feature=Acceleration state=ENABLED (featureStatus=1)
09-25-2018 06:17:18.349 INFO  LMTracker - Setting feature=AdvancedSearchCommands state=ENABLED (featureStatus=1)
09-25-2018 06:17:18.349 INFO  LMTracker - Setting feature=AdvancedXML state=ENABLED (featureStatus=1)
09-25-2018 06:17:18.349 INFO  LMTracker - Setting feature=Alerting state=ENABLED (featureStatus=1)
09-25-2018 06:17:18.349 INFO  LMTracker - Setting feature=ArchiveToHdfs state=ENABLED (featureStatus=1)
09-25-2018 06:17:18.349 INFO  LMTracker - Setting feature=Auth state=ENABLED (featureStatus=1)
09-25-2018 06:17:18.349 INFO  LMTracker - Setting feature=CustomRoles state=ENABLED (featureStatus=1)
09-25-2018 06:17:18.349 INFO  LMTracker - Setting feature=DeployClient state=ENABLED (featureStatus=1)
09-25-2018 06:17:18.349 INFO  LMTracker - Setting feature=DeployServer state=ENABLED (featureStatus=1)
09-25-2018 06:17:18.349 INFO  LMTracker - Setting feature=DistSearch state=ENABLED (featureStatus=1)
09-25-2018 06:17:18.349 INFO  LMTracker - Setting feature=FwdData state=ENABLED (featureStatus=1)
09-25-2018 06:17:18.349 INFO  LMTracker - Setting feature=GuestPass state=ENABLED (featureStatus=1)
09-25-2018 06:17:18.349 INFO  LMTracker - Setting feature=KVStore state=ENABLED (featureStatus=1)
09-25-2018 06:17:18.349 INFO  LMTracker - Setting feature=LDAPAuth state=ENABLED (featureStatus=1)
09-25-2018 06:17:18.349 INFO  LMTracker - Setting feature=LocalSearch state=ENABLED (featureStatus=1)
09-25-2018 06:17:18.349 INFO  LMTracker - Setting feature=MultifactorAuth state=ENABLED (featureStatus=1)
09-25-2018 06:17:18.349 INFO  LMTracker - Setting feature=MultisiteClustering state=ENABLED (featureStatus=1)
09-25-2018 06:17:18.349 INFO  LMTracker - Setting feature=NontableLookups state=ENABLED (featureStatus=1)
09-25-2018 06:17:18.349 INFO  LMTracker - Setting feature=RcvData state=ENABLED (featureStatus=1)
09-25-2018 06:17:18.349 INFO  LMTracker - Setting feature=RcvSearch state=ENABLED (featureStatus=1)
09-25-2018 06:17:18.349 INFO  LMTracker - Setting feature=RollingWindowAlerts state=ENABLED (featureStatus=1)
09-25-2018 06:17:18.349 INFO  LMTracker - Setting feature=SAMLAuth state=ENABLED (featureStatus=1)
09-25-2018 06:17:18.349 INFO  LMTracker - Setting feature=ScheduledAlerts state=ENABLED (featureStatus=1)
09-25-2018 06:17:18.349 INFO  LMTracker - Setting feature=ScheduledReports state=ENABLED (featureStatus=1)
09-25-2018 06:17:18.349 INFO  LMTracker - Setting feature=ScheduledSearch state=ENABLED (featureStatus=1)
09-25-2018 06:17:18.350 INFO  LMTracker - Setting feature=ScriptedAuth state=ENABLED (featureStatus=1)
09-25-2018 06:17:18.350 INFO  LMTracker - Setting feature=SearchheadPooling state=ENABLED (featureStatus=1)
09-25-2018 06:17:18.350 INFO  LMTracker - Setting feature=SigningProcessor state=ENABLED (featureStatus=1)
09-25-2018 06:17:18.350 INFO  LMTracker - Setting feature=SplunkWeb state=ENABLED (featureStatus=1)
09-25-2018 06:17:18.350 INFO  LMTracker - Setting feature=SubgroupId state=ENABLED (featureStatus=1)
09-25-2018 06:17:18.350 INFO  LMTracker - Setting feature=SyslogOutputProcessor state=ENABLED (featureStatus=1)
09-25-2018 06:17:18.350 INFO  LMTracker - Setting feature=UnisiteClustering state=ENABLED (featureStatus=1)
09-25-2018 06:17:18.350 INFO  LicenseMgr - Tracker init complete...
09-25-2018 06:17:18.356 INFO  AdminManagerDispatch - added factory for admin handler: 'licenses'
09-25-2018 06:17:18.356 INFO  AdminManagerDispatch - added factory for admin handler: 'pools'
09-25-2018 06:17:18.356 INFO  AdminManagerDispatch - added factory for admin handler: 'stacks'
09-25-2018 06:17:18.356 INFO  AdminManagerDispatch - added factory for admin handler: 'groups'
09-25-2018 06:17:18.356 INFO  AdminManagerDispatch - added factory for admin handler: 'slaves'
09-25-2018 06:17:18.356 INFO  AdminManagerDispatch - added factory for admin handler: 'localslave'
09-25-2018 06:17:18.356 INFO  AdminManagerDispatch - added factory for admin handler: 'licensermessages'
09-25-2018 06:17:18.356 INFO  AdminManagerDispatch - added factory for admin handler: 'scriptedwarning'
09-25-2018 06:17:18.356 INFO  AdminManagerDispatch - added factory for admin handler: 'licenseusage'
09-25-2018 06:17:18.357 INFO  dispatchRunner - registering build time modules, count=1
09-25-2018 06:17:18.357 INFO  dispatchRunner - registering search time components of build time module name=vix
09-25-2018 06:17:18.357 INFO  dispatchRunner - Getting search configuration data from: /opt/splunk/etc/modules/parsing/config.xml
09-25-2018 06:17:18.360 INFO  BundlesSetup - Setup stats for /opt/splunk/etc: wallclock_elapsed_msec=48, cpu_time_used=0.046992, shared_services_generation=2, shared_services_population=1
09-25-2018 06:17:18.374 INFO  UserManagerPro - Load authentication: forcing roles="admin, alert_manager_user, export data role, power, user"
09-25-2018 06:17:18.378 INFO  SessionManager - auth tokens will be generated with shpooling shared secret
09-25-2018 06:17:18.378 INFO  UserManager - Setting user context: splunk-system-user
09-25-2018 06:17:18.378 INFO  UserManager - Done setting user context: NULL -> splunk-system-user
09-25-2018 06:17:18.380 INFO  UserManager - Unwound user context: splunk-system-user -> NULL
09-25-2018 06:17:18.380 INFO  UserManager - Setting user context: admin
09-25-2018 06:17:18.380 INFO  UserManager - Done setting user context: NULL -> admin
09-25-2018 06:17:18.380 INFO  dispatchRunner - search context: user="admin", app="nmon", bs-pathname="/opt/splunk/etc"
09-25-2018 06:17:18.386 WARN  IndexConfig - idx=telemetry Path homePath='/opt/splunk/var/lib/splunk/_telemetry/db' (realpath '/opt/splunk/var/lib/splunk/_telemetry/db') is inside volume=home (path='/opt/splunk/var/lib/splunk', realpath='/opt/splunk/var/lib/splunk'), but does not reference that volume.  Space used by homePath will not be volume-mananged.  Please check indexes.conf for configuration errors.
09-25-2018 06:17:18.386 WARN  IndexConfig - idx=_telemetry Path coldPath='/opt/splunk/var/lib/splunk/_telemetry/colddb' (realpath '/opt/splunk/var/lib/splunk/_telemetry/colddb') is inside volume=home (path='/opt/splunk/var/lib/splunk', realpath='/opt/splunk/var/lib/splunk'), but does not reference that volume.  Space used by coldPath will not be volume-mananged.  Please check indexes.conf for configuration errors.
09-25-2018 06:17:18.387 WARN  IndexConfig - idx=alerts Path homePath='/opt/splunk/var/lib/splunk/alerts/db' (realpath '/opt/splunk/var/lib/splunk/alerts/db') is inside volume=home (path='/opt/splunk/var/lib/splunk', realpath='/opt/splunk/var/lib/splunk'), but does not reference that volume.  Space used by homePath will not be volume-mananged.  Please check indexes.conf for configuration errors.
09-25-2018 06:17:18.387 WARN  IndexConfig - idx=alerts Path coldPath='/opt/splunk/var/lib/splunk/alerts/colddb' (realpath '/opt/splunk/var/lib/splunk/alerts/colddb') is inside volume=home (path='/opt/splunk/var/lib/splunk', realpath='/opt/splunk/var/lib/splunk'), but does not reference that volume.  Space used by coldPath will not be volume-mananged.  Please check indexes.conf for configuration errors.
09-25-2018 06:17:18.387 WARN  IndexConfig - idx=ioc Path homePath='/opt/splunk/var/lib/splunk/iocdb/db' (realpath '/opt/splunk/var/lib/splunk/iocdb/db') is inside volume=home (path='/opt/splunk/var/lib/splunk', realpath='/opt/splunk/var/lib/splunk'), but does not reference that volume.  Space used by homePath will not be volume-mananged.  Please check indexes.conf for configuration errors.
09-25-2018 06:17:18.387 WARN  IndexConfig - idx=ioc Path coldPath='/opt/splunk/var/lib/splunk/iocdb/colddb' (realpath '/opt/splunk/var/lib/splunk/iocdb/colddb') is inside volume=home (path='/opt/splunk/var/lib/splunk', realpath='/opt/splunk/var/lib/splunk'), but does not reference that volume.  Space used by coldPath will not be volume-mananged.  Please check indexes.conf for configuration errors.
09-25-2018 06:17:18.387 WARN  IndexConfig - Max bucket size is larger than the index size limit. Please check your index configuration. idx=main; bucket size in MB (from maxDataSize) 10240, maxDataSizeMB=1024
09-25-2018 06:17:18.387 WARN  IndexConfig - idx=nmon Path homePath='/opt/splunk/var/lib/splunk/nmon/db' (realpath '/opt/splunk/var/lib/splunk/nmon/db') is inside volume=home (path='/opt/splunk/var/lib/splunk', realpath='/opt/splunk/var/lib/splunk'), but does not reference that volume.  Space used by homePath will not be volume-mananged.  Please check indexes.conf for configuration errors.
09-25-2018 06:17:18.387 WARN  IndexConfig - idx=nmon Path coldPath='/opt/splunk/var/lib/splunk/nmon/colddb' (realpath '/opt/splunk/var/lib/splunk/nmon/colddb') is inside volume=home (path='/opt/splunk/var/lib/splunk', realpath='/opt/splunk/var/lib/splunk'), but does not reference that volume.  Space used by coldPath will not be volume-mananged.  Please check indexes.conf for configuration errors.
09-25-2018 06:17:18.388 WARN  IndexConfig - idx=threat_activity Path homePath='/opt/splunk/var/lib/splunk/threat_activitydb/db' (realpath '/opt/splunk/var/lib/splunk/threat_activitydb/db') is inside volume=home (path='/opt/splunk/var/lib/splunk', realpath='/opt/splunk/var/lib/splunk'), but does not reference that volume.  Space used by homePath will not be volume-mananged.  Please check indexes.conf for configuration errors.
09-25-2018 06:17:18.388 WARN  IndexConfig - idx=threat_activity Path coldPath='/opt/splunk/var/lib/splunk/threat_activitydb/colddb' (realpath '/opt/splunk/var/lib/splunk/threat_activitydb/colddb') is inside volume=home (path='/opt/splunk/var/lib/splunk', realpath='/opt/splunk/var/lib/splunk'), but does not reference that volume.  Space used by coldPath will not be volume-mananged.  Please check indexes.conf for configuration errors.
09-25-2018 06:17:18.388 WARN  IndexConfig - idx=unix_summary Path homePath='/opt/splunk/var/lib/splunk/unix_summary/db' (realpath '/opt/splunk/var/lib/splunk/unix_summary/db') is inside volume=home (path='/opt/splunk/var/lib/splunk', realpath='/opt/splunk/var/lib/splunk'), but does not reference that volume.  Space used by homePath will not be volume-mananged.  Please check indexes.conf for configuration errors.
09-25-2018 06:17:18.389 WARN  IndexConfig - idx=unix_summary Path coldPath='/opt/splunk/var/lib/splunk/unix_summary/colddb' (realpath '/opt/splunk/var/lib/splunk/unix_summary/colddb') is inside volume=home (path='/opt/splunk/var/lib/splunk', realpath='/opt/splunk/var/lib/splunk'), but does not reference that volume.  Space used by coldPath will not be volume-mananged.  Please check indexes.conf for configuration errors.
09-25-2018 06:17:18.390 INFO  dispatchRunner - Executing the DispatchThread.
09-25-2018 06:17:18.390 INFO  SearchParser - PARSING: | pivot NMON_Config Nmon_Config last(AIX_Machine_SerialNumber) AS "AIX_Machine_SerialNumber" dc(hostname) AS "dcount" SPLITROW hostname AS hostname SORT 0 hostname ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 0 SHOWOTHER 0 | eval serialnum=if(isnull(AIX_Machine_SerialNumber), hostname, AIX_Machine_SerialNumber) | fields hostname,serialnum | stats count
09-25-2018 06:17:18.391 INFO  PivotEvaluator - Loading pivot for model 'NMON_Config' and object 'Nmon_Config'
09-25-2018 06:17:18.397 INFO  PivotReport - arg: 'last(AIX_Machine_SerialNumber)'
09-25-2018 06:17:18.397 INFO  PivotReport - arg: 'dc(hostname)'
09-25-2018 06:17:18.397 INFO  PivotReport - arg: 'SPLITROW'
09-25-2018 06:17:18.397 INFO  PivotRowCol - adding row
09-25-2018 06:17:18.397 INFO  PivotRowCol - next: 'AS'
09-25-2018 06:17:18.397 INFO  PivotRowCol - next: 'SORT'
09-25-2018 06:17:18.397 INFO  PivotReport - arg: 'SORT'
09-25-2018 06:17:18.397 INFO  PivotReport - arg: 'ROWSUMMARY'
09-25-2018 06:17:18.397 INFO  PivotReport - arg: 'COLSUMMARY'
09-25-2018 06:17:18.397 INFO  PivotReport - arg: 'NUMCOLS'
09-25-2018 06:17:18.397 INFO  PivotReport - arg: 'SHOWOTHER'
09-25-2018 06:17:18.398 INFO  SortOperator - maxmem = 209715200
09-25-2018 06:17:18.400 INFO  ISplunkDispatch - Not running in splunkd. Bundle replication not triggered.
09-25-2018 06:17:18.482 INFO  UserManager - Setting user context: admin
09-25-2018 06:17:18.482 INFO  UserManager - Done setting user context: NULL -> admin
09-25-2018 06:17:18.482 INFO  TsidxStats - Using a chunk size of 10000000
09-25-2018 06:17:18.484 INFO  TsidxStats - Initial expanded filtering search: '( nodename=Nmon_Config )'
09-25-2018 06:17:18.487 INFO  TsidxStats - Finalized TimeBounds: final_et=1537250400.000000 final_lt=1537856238.000000 info.startTime=1537250400.000000 info.endTime=1537856238.000000
09-25-2018 06:17:18.487 INFO  TsidxStats - Using summaryid="57E9834B-43B4-41D0-A3BD-042A352C4C79_DM_nmon_NMON_Config"
09-25-2018 06:17:18.487 INFO  SortOperator - maxmem = 209715200
09-25-2018 06:17:18.487 INFO  ProxyConfig - Failed to initialize http_proxy from server.conf for splunkd. Please make sure that the http_proxy property is set as http_proxy=http://host:port in case HTTP proxying needs to be enabled.
09-25-2018 06:17:18.487 INFO  ProxyConfig - Failed to initialize https_proxy from server.conf for splunkd. Please make sure that the https_proxy property is set as https_proxy=http://host:port in case HTTP proxying needs to be enabled.
09-25-2018 06:17:18.487 INFO  ProxyConfig - Failed to initialize the no_proxy setting from server.conf for splunkd. Please provide a valid set of no_proxy rules in case HTTP proxying needs to be enabled.
09-25-2018 06:17:18.542 INFO  TsidxStats - Finished evaluating arguments for datamodel-based query
09-25-2018 06:17:18.542 INFO  SortOperator - maxmem = 209715200
09-25-2018 06:17:18.542 INFO  SearchParser - PARSING: prestats dedup_splitvals=t distinct_count("Nmon_Config.hostname") last("Nmon_Config.AIX_Machine_SerialNumber") by "Nmon_Config.hostname"
09-25-2018 06:17:18.542 INFO  SearchParser - PARSING: addinfo type=count label=prereport_events
09-25-2018 06:17:18.543 INFO  SearchParser - PARSING: presort 0 auto("Nmon_Config.hostname")
09-25-2018 06:17:18.543 INFO  SortOperator - maxmem = 209715200
09-25-2018 06:17:18.543 INFO  StatsProcessor - No group-by fields specified, incompatible for high cardinality improvements
09-25-2018 06:17:18.543 INFO  DispatchThread - BatchMode: allowBatchMode: 1, conf(1): 1, timeline/Status buckets(0):0, realtime(0):0, report pipe empty(0):0, reqTimeOrder(0):0, summarize(0):0, statefulStreaming(0):0
09-25-2018 06:17:18.543 INFO  DispatchThread - required fields list to add to remote search = Nmon_Config.AIX_Machine_SerialNumber,Nmon_Config.hostname,prestats_reserved,psrsvd_
09-25-2018 06:17:18.543 INFO  SearchParser - PARSING: fields keepcolorder=t "Nmon_Config.AIX_Machine_SerialNumber" "Nmon_Config.hostname" "prestats_reserved_" "psrsvd_"
09-25-2018 06:17:18.543 INFO  DispatchCommandProcessor - summaryHash=513a3eee1f1aac4d summaryId=57E9834B-43B4-41D0-A3BD-042A352C4C79_nmon_admin_513a3eee1f1aac4d remoteSearch=tstats  last(Nmon_Config.AIX_Machine_SerialNumber) AS AIX_Machine_SerialNumber dc(Nmon_Config.hostname) AS dcount  from datamodel=NMON_Config where (nodename = Nmon_Config) groupby Nmon_Config.hostname  prestats=true  | addinfo  type=count label=prereport_events | fields  keepcolorder=t "Nmon_Config.AIX_Machine_SerialNumber" "Nmon_Config.hostname" "prestats_reserved_" "psrsvd_" | prestats  dedup_splitvals=t distinct_count("Nmon_Config.hostname") last("Nmon_Config.AIX_Machine_SerialNumber") by "Nmon_Config.hostname"
09-25-2018 06:17:18.543 INFO  DispatchCommandProcessor - summaryHash=NS98be7406deb91d6f summaryId=57E9834B-43B4-41D0-A3BD-042A352C4C79_nmon_admin_NS98be7406deb91d6f remoteSearch=tstats last(Nmon_Config.AIX_Machine_SerialNumber) AS AIX_Machine_SerialNumber dc(Nmon_Config.hostname) AS dcount  from datamodel=NMON_Config where (nodename = Nmon_Config) groupby Nmon_Config.hostname  prestats=true | addinfo type=count label=prereport_events | fields keepcolorder=t "Nmon_Config.AIX_Machine_SerialNumber" "Nmon_Config.hostname" "prestats_reserved_" "psrsvd_" | prestats dedup_splitvals=t distinct_count("Nmon_Config.hostname") last("Nmon_Config.AIX_Machine_SerialNumber") by "Nmon_Config.hostname"
09-25-2018 06:17:18.543 INFO  DispatchThread - Getting summary ID for summaryHash=NS98be7406deb91d6f
09-25-2018 06:17:18.550 INFO  DispatchThread - Did not find a usable summary_id, setting info.summary_mode=none, not modifying input summary_id=57E9834B-43B4-41D0-A3BD-042A352C4C79_nmon_admin_NS98be7406deb91d6f
09-25-2018 06:17:18.550 INFO  DispatchThread - Matches no summary
09-25-2018 06:17:18.550 INFO  DispatchThread - SrchOptMetrics check_query_matches_ra=69
09-25-2018 06:17:18.550 INFO  SearchParser - PARSING: | tstats last(Nmon_Config.AIX_Machine_SerialNumber) AS AIX_Machine_SerialNumber dc(Nmon_Config.hostname) AS dcount  from datamodel=NMON_Config where (nodename = Nmon_Config) groupby Nmon_Config.hostname  prestats=true | stats dedup_splitvals=t last(Nmon_Config.AIX_Machine_SerialNumber) AS AIX_Machine_SerialNumber dc(Nmon_Config.hostname) AS dcount  by Nmon_Config.hostname | sort limit=0 Nmon_Config.hostname | fields - _span  | rename Nmon_Config.hostname AS hostname  | fillnull dcount | fields hostname, AIX_Machine_SerialNumber, dcount| eval serialnum=if(isnull(AIX_Machine_SerialNumber), hostname, AIX_Machine_SerialNumber) | fields hostname,serialnum | stats count
09-25-2018 06:17:18.550 INFO  SortOperator - maxmem = 209715200
09-25-2018 06:17:18.550 INFO  TsidxStats - Using a chunk size of 10000000
09-25-2018 06:17:18.552 INFO  TsidxStats - Initial expanded filtering search: '( nodename=Nmon_Config )'
09-25-2018 06:17:18.552 INFO  TsidxStats - Finished simple parsing
09-25-2018 06:17:18.552 INFO  SortOperator - maxmem = 209715200
09-25-2018 06:17:18.552 INFO  StatsProcessor - No group-by fields specified, incompatible for high cardinality improvements
09-25-2018 06:17:18.552 INFO  DispatchThread - SrchOptMetrics optimize_toJson=2
09-25-2018 06:17:18.553 INFO  ProjElim - Black listed processors=[addinfo]
09-25-2018 06:17:18.553 INFO  AstVisitorFactory - Field=hostname will be rewritten to Field=Nmon_Config.hostname
09-25-2018 06:17:18.553 INFO  AstVisitorFactory - Field=hostname will be rewritten to Field=Nmon_Config.hostname
09-25-2018 06:17:18.580 INFO  DispatchThread - SrchOptMetrics optimization=28
09-25-2018 06:17:18.580 INFO  SortOperator - maxmem = 209715200
09-25-2018 06:17:18.580 INFO  SearchPipeline - Command='rename' doesnt have raw field 
09-25-2018 06:17:18.580 INFO  SearchPipeline - Command='eval' doesnt have raw field 
09-25-2018 06:17:18.580 INFO  DispatchThread - Optimized Search = | tstats last(Nmon_Config.AIX_Machine_SerialNumber) AS AIX_Machine_SerialNumber dc(Nmon_Config.hostname) AS dcount  from datamodel=NMON_Config where (nodename = Nmon_Config) groupby Nmon_Config.hostname  prestats=true | stats dedup_splitvals=t last(Nmon_Config.AIX_Machine_SerialNumber) AS AIX_Machine_SerialNumber dc(Nmon_Config.hostname) AS dcount  by Nmon_Config.hostname | sort limit=0 Nmon_Config.hostname | fields - _span | rename "Nmon_Config.hostname" as hostname | fillnull dcount | fields hostname, AIX_Machine_SerialNumber, dcount | eval serialnum=if(isnull(AIX_Machine_SerialNumber),hostname,AIX_Machine_SerialNumber) | fields hostname,serialnum | stats count
09-25-2018 06:17:18.580 INFO  DispatchThread - SrchOptMetrics fromJsontoSpl=1
09-25-2018 06:17:18.580 INFO  SearchParser - PARSING: | tstats last(Nmon_Config.AIX_Machine_SerialNumber) AS AIX_Machine_SerialNumber dc(Nmon_Config.hostname) AS dcount  from datamodel=NMON_Config where (nodename = Nmon_Config) groupby Nmon_Config.hostname  prestats=true | stats dedup_splitvals=t last(Nmon_Config.AIX_Machine_SerialNumber) AS AIX_Machine_SerialNumber dc(Nmon_Config.hostname) AS dcount  by Nmon_Config.hostname | sort limit=0 Nmon_Config.hostname | fields - _span | rename "Nmon_Config.hostname" as hostname | fillnull dcount | fields hostname, AIX_Machine_SerialNumber, dcount | eval serialnum=if(isnull(AIX_Machine_SerialNumber),hostname,AIX_Machine_SerialNumber) | fields hostname,serialnum | stats count
09-25-2018 06:17:18.580 INFO  SortOperator - maxmem = 209715200
09-25-2018 06:17:18.580 INFO  DispatchThread - SrchOptMetrics reparse_optimized_query=1
09-25-2018 06:17:18.580 INFO  TsidxStats - Using a chunk size of 10000000
09-25-2018 06:17:18.582 INFO  TsidxStats - Initial expanded filtering search: '( nodename=Nmon_Config )'
09-25-2018 06:17:18.582 INFO  TsidxStats - Finalized TimeBounds: final_et=1537250400.000000 final_lt=1537856238.000000 info.startTime=1537250400.000000 info.endTime=1537856238.000000
09-25-2018 06:17:18.582 INFO  TsidxStats - Using summaryid="57E9834B-43B4-41D0-A3BD-042A352C4C79_DM_nmon_NMON_Config"
09-25-2018 06:17:18.582 INFO  SortOperator - maxmem = 209715200
09-25-2018 06:17:18.582 INFO  TsidxStats - Could not obtain a valid set of indexes to search
09-25-2018 06:17:18.582 INFO  SortOperator - maxmem = 209715200
09-25-2018 06:17:18.582 INFO  SearchParser - PARSING: prestats dedup_splitvals=t distinct_count("Nmon_Config.hostname") last("Nmon_Config.AIX_Machine_SerialNumber") by "Nmon_Config.hostname"
09-25-2018 06:17:18.582 INFO  SearchParser - PARSING: addinfo type=count label=prereport_events
09-25-2018 06:17:18.582 INFO  SearchParser - PARSING: presort 0 auto("Nmon_Config.hostname")
09-25-2018 06:17:18.582 INFO  SortOperator - maxmem = 209715200
09-25-2018 06:17:18.582 INFO  StatsProcessor - No group-by fields specified, incompatible for high cardinality improvements
09-25-2018 06:17:18.582 INFO  DispatchThread - BatchMode: allowBatchMode: 1, conf(1): 1, timeline/Status buckets(0):0, realtime(0):0, report pipe empty(0):0, reqTimeOrder(0):0, summarize(0):0, statefulStreaming(0):0
09-25-2018 06:17:18.582 INFO  DispatchThread - required fields list to add to remote search = Nmon_Config.AIX_Machine_SerialNumber,Nmon_Config.hostname,prestats_reserved,psrsvd_
09-25-2018 06:17:18.582 INFO  SearchParser - PARSING: fields keepcolorder=t "Nmon_Config.AIX_Machine_SerialNumber" "Nmon_Config.hostname" "prestats_reserved_" "psrsvd_"
09-25-2018 06:17:18.582 INFO  DispatchCommandProcessor - summaryHash=513a3eee1f1aac4d summaryId=57E9834B-43B4-41D0-A3BD-042A352C4C79_nmon_admin_513a3eee1f1aac4d remoteSearch=tstats  last(Nmon_Config.AIX_Machine_SerialNumber) AS AIX_Machine_SerialNumber dc(Nmon_Config.hostname) AS dcount  from datamodel=NMON_Config where (nodename = Nmon_Config) groupby Nmon_Config.hostname  prestats=true  | addinfo  type=count label=prereport_events | fields  keepcolorder=t "Nmon_Config.AIX_Machine_SerialNumber" "Nmon_Config.hostname" "prestats_reserved_" "psrsvd_" | prestats  dedup_splitvals=t distinct_count("Nmon_Config.hostname") last("Nmon_Config.AIX_Machine_SerialNumber") by "Nmon_Config.hostname"
09-25-2018 06:17:18.583 INFO  DispatchCommandProcessor - summaryHash=NS98be7406deb91d6f summaryId=57E9834B-43B4-41D0-A3BD-042A352C4C79_nmon_admin_NS98be7406deb91d6f remoteSearch=tstats last(Nmon_Config.AIX_Machine_SerialNumber) AS AIX_Machine_SerialNumber dc(Nmon_Config.hostname) AS dcount  from datamodel=NMON_Config where (nodename = Nmon_Config) groupby Nmon_Config.hostname  prestats=true | addinfo type=count label=prereport_events | fields keepcolorder=t "Nmon_Config.AIX_Machine_SerialNumber" "Nmon_Config.hostname" "prestats_reserved_" "psrsvd_" | prestats dedup_splitvals=t distinct_count("Nmon_Config.hostname") last("Nmon_Config.AIX_Machine_SerialNumber") by "Nmon_Config.hostname"
09-25-2018 06:17:18.584 INFO  DispatchThread - Setting summary_mode=NONE after optimization
09-25-2018 06:17:18.584 INFO  DispatchThread - SrchOptMetrics FinalEval=4
09-25-2018 06:17:18.584 INFO  UserManager - Setting user context: admin
09-25-2018 06:17:18.584 INFO  UserManager - Done setting user context: admin -> admin
09-25-2018 06:17:18.585 INFO  UserManager - Unwound user context: admin -> admin
09-25-2018 06:17:18.585 INFO  DistributedSearchResultCollectionManager - Stream search: tstats  last(Nmon_Config.AIX_Machine_SerialNumber) AS AIX_Machine_SerialNumber dc(Nmon_Config.hostname) AS dcount  from datamodel=NMON_Config where (nodename = Nmon_Config) groupby Nmon_Config.hostname  prestats=true  | addinfo  type=count label=prereport_events | fields  keepcolorder=t "Nmon_Config.AIX_Machine_SerialNumber" "Nmon_Config.hostname" "prestats_reserved_" "psrsvd_" | prestats  dedup_splitvals=t distinct_count("Nmon_Config.hostname") last("Nmon_Config.AIX_Machine_SerialNumber") by "Nmon_Config.hostname"
09-25-2018 06:17:18.585 INFO  ExternalResultProvider - No external result providers are configured
09-25-2018 06:17:18.585 INFO  DistributedSearchResultCollectionManager - ERP_FACTORY initialized, but zero external result provider, hence disabling isERPCollectionEnabled
09-25-2018 06:17:18.585 INFO  DistributedSearchResultCollectionManager - Default search group:*
09-25-2018 06:17:18.585 INFO  DistributedSearchResultCollectionManager - Connecting to peer DR-IX-1 connectAll 0 connectToSpecificPeer 1
09-25-2018 06:17:18.585 INFO  DistributedSearchResultCollectionManager - Connecting to peer DR-IX-2 connectAll 0 connectToSpecificPeer 1
09-25-2018 06:17:18.585 INFO  DistributedSearchResultCollectionManager - Connecting to peer NFT-IX-1 connectAll 0 connectToSpecificPeer 1
09-25-2018 06:17:18.585 INFO  DistributedSearchResultCollectionManager - Connecting to peer NFT-IX-2 connectAll 0 connectToSpecificPeer 1
09-25-2018 06:17:18.585 INFO  DistributedSearchResultCollectionManager - Connecting to peer PROD-IX-1 connectAll 0 connectToSpecificPeer 1
09-25-2018 06:17:18.585 INFO  DistributedSearchResultCollectionManager - Connecting to peer PROD-IX-2 connectAll 0 connectToSpecificPeer 1
09-25-2018 06:17:18.585 INFO  DistributedSearchResultCollectionManager - Connecting to peer PROD-SH-1 connectAll 0 connectToSpecificPeer 1
09-25-2018 06:17:18.586 INFO  ServerConfig - Using REMOTE_SERVER_NAME=57E9834B-43B4-41D0-A3BD-042A352C4C79
09-25-2018 06:17:18.587 INFO  KeyManagerLocalhost - Checking for localhost key pair
09-25-2018 06:17:18.587 INFO  KeyManagerLocalhost - Public key already exists: /opt/splunk/etc/auth/distServerKeys/trusted.pem
09-25-2018 06:17:18.587 INFO  KeyManagerLocalhost - Reading public key for localhost: /opt/splunk/etc/auth/distServerKeys/trusted.pem
09-25-2018 06:17:18.587 INFO  KeyManagerLocalhost - Finished reading public key for localhost: /opt/splunk/etc/auth/distServerKeys/trusted.pem
09-25-2018 06:17:18.587 INFO  KeyManagerLocalhost - Reading private key for localhost: /opt/splunk/etc/auth/distServerKeys/private.pem
09-25-2018 06:17:18.587 INFO  KeyManagerLocalhost - Finished reading private key for localhost: /opt/splunk/etc/auth/distServerKeys/private.pem
09-25-2018 06:17:18.588 INFO  DistributedSearchResultCollectionManager - Successfully created search result collector for peer=DR-IX-1 in 0.003 seconds
09-25-2018 06:17:18.590 INFO  DistributedSearchResultCollectionManager - Successfully created search result collector for peer=DR-IX-2 in 0.003 seconds
09-25-2018 06:17:18.592 INFO  DistributedSearchResultCollectionManager - Successfully created search result collector for peer=NFT-IX-1 in 0.003 seconds
09-25-2018 06:17:18.594 INFO  DistributedSearchResultCollectionManager - Successfully created search result collector for peer=NFT-IX-2 in 0.003 seconds
09-25-2018 06:17:18.597 INFO  DistributedSearchResultCollectionManager - Successfully created search result collector for peer=PROD-IX-1 in 0.003 seconds
09-25-2018 06:17:18.599 INFO  DistributedSearchResultCollectionManager - Successfully created search result collector for peer=PROD-IX-2 in 0.003 seconds
09-25-2018 06:17:18.602 INFO  UserManager - Setting user context: admin
09-25-2018 06:17:18.602 INFO  UserManager - Done setting user context: NULL -> admin
09-25-2018 06:17:18.602 INFO  UserManager - Setting user context: admin
09-25-2018 06:17:18.602 INFO  UserManager - Done setting user context: NULL -> admin
09-25-2018 06:17:18.603 INFO  UserManager - Setting user context: admin
09-25-2018 06:17:18.603 INFO  UserManager - Done setting user context: NULL -> admin
09-25-2018 06:17:18.605 INFO  UserManager - Setting user context: admin
09-25-2018 06:17:18.605 INFO  UserManager - Done setting user context: NULL -> admin
09-25-2018 06:17:18.605 INFO  DispatchThread - Disk quota = 10485760000
09-25-2018 06:17:18.606 INFO  UserManager - Setting user context: admin
09-25-2018 06:17:18.606 INFO  UserManager - Done setting user context: NULL -> admin
09-25-2018 06:17:18.608 INFO  UserManager - Setting user context: admin
09-25-2018 06:17:18.608 INFO  UserManager - Done setting user context: NULL -> admin
09-25-2018 06:17:18.608 INFO  SearchParser - PARSING: tstats  last(Nmon_Config.AIX_Machine_SerialNumber) AS AIX_Machine_SerialNumber dc(Nmon_Config.hostname) AS dcount  from datamodel=NMON_Config where (nodename = Nmon_Config) groupby Nmon_Config.hostname  prestats=true  | addinfo  type=count label=prereport_events | fields  keepcolorder=t "Nmon_Config.AIX_Machine_SerialNumber" "Nmon_Config.hostname" "prestats_reserved" "psrsvd_" | prestats  dedup_splitvals=t distinct_count("Nmon_Config.hostname") last("Nmon_Config.AIX_Machine_SerialNumber") by "Nmon_Config.hostname"
09-25-2018 06:17:18.609 INFO  TsidxStats - Using a chunk size of 10000000
09-25-2018 06:17:18.609 INFO  TsidxStats - Initial expanded filtering search: '( nodename=Nmon_Config )'
09-25-2018 06:17:18.609 INFO  TsidxStats - Using summaryid="57E9834B-43B4-41D0-A3BD-042A352C4C79_DM_nmon_NMON_Config"
09-25-2018 06:17:18.609 INFO  SearchParser - PARSING:  search (index=* OR index=) (eventtype=nmon:config) | eval nodename = "Nmon_Config"| rex field=_raw "(?i),host,(?P.+)" max_match=1 | rex field=_raw "(?i),version,(?P.+)" max_match=1 | rex field=_raw "(?i),command,(?P.+)" max_match=1 | rex field=_raw "(?i),OS,(?P[^,]+)" max_match=1 | rex field=_raw "AAA,cpus,(?P\d+)" max_match=1 | rex field=_raw "AAA,cpus,\d+,(?P\d+)" max_match=1 | rex field=_raw "AAA,AIX,(?P.+)" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lparstat.+,\\"Online\sVirtual\sCPUs\s+\:\s(?P\d+)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,online\sMemory,(?P\d+)" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lsconf,\\"\s+Total\sPaging\sSpace:\s(?P\d+)" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lsconf,\\"Processor\sImplementation\sMode:\s(?P.+\w)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lsconf,\\"Processor\sClock\sSpeed:\s(?P.+\w)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lsconf,\\"CPU\sType:\s(?P.+\w)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lsconf,\\"Kernel\sType:\s(?P.+\w)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lsconf,\\"Platform\sFirmware\slevel:\s(?P.+\w)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lsconf,\\"Machine\sSerial\sNumber:\s(?P.+)\\"" max_match=1 | rex field=_raw "AAA,SerialNumber,(?P\w+)" max_match=1 | eval AIX_Machine_SerialNumber=if(isnotnull(AIX_std_Machine_SerialNumber), AIX_std_Machine_SerialNumber, AIX_alt_Machine_SerialNumber) | rex field=_raw "BBB.+,[0-9].+,lparstat.+,\\"Shared\sPool\sID\s+\:\s(?P.+)\\"" max_match=1 | eval AIX_PoolID=if(AIX_extracted_PoolID=="-","N/A" ,AIX_extracted_PoolID) | rex field=_raw "BBB.+,[0-9].+,lparstat.+,\\"Maximum\sPhysical\sCPUs\sin\ssystem\s+\:\s(?P.+)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lparstat.+,\\"Active\sPhysical\sCPUs\sin\ssystem\s+\:\s(?P.+)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lparstat.+,\\"Active\sCPUs\sin\sPool\s+\:\s(?P.+)\\"" max_match=1 | eval AIX_PoolCPUs=if(AIX_extracted_PoolCPUs=="-","N/A" ,AIX_extracted_PoolCPUs) | rex field=_raw "BBB.+,[0-9].+,lparstat.+,\\"Entitled\sCapacity\s+\:\s(?P.+)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lsconf,\\"Processor\sType:\s(?P.+\w)\\"" max_match=1 | eval cpu_cores_combo=(AIX_virtualcpus+" / "+cpu_cores_position2), AIX_logicalcores=if(isnotnull(cpu_cores_position2), cpu_cores_position2, cpu_cores_position1) | rex field=_raw "AAA,OS,Linux,(?P.+)" max_match=1 | rex field=_raw "BBB.+,[0-9].+cpuinfo,.+model\sname.+:\s+(?P.+)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,.+etc+.release,\\"(?!LSB_VERSION|DISTRIB|NAME|ID|VERSION)(?P.+)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lsb_release,\\"Description:\s(?.+)\\"" max_match=1 | eval Linux_distribution=if(isnotnull(Linux_lsb_distribution), Linux_lsb_distribution, Linux_release_distribution) | rex field=_raw "BBB.+,[0-9].+,lsb_release,\\"Distributor\s*ID:\s*(?.+)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lsb_release,\\"Release:\s*(?.+)\\"" max_match=1 | eval Linux_vendor=if(isnotnull(Linux_lsb_distibutorid), Linux_lsb_distibutorid, "Undeterminated") | rex field=_raw "BBB.+,[0-9].+,lsb\_release,\\"Release:\s+(?P.+)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,.proc.meminfo,\\"MemTotal:\s+(?P\d+)" max_match=1 | eval Linux_memory_MB=round(Linux_memory_kB/1024,0) | rex field=_raw "BBB.+,[0-9].+,.proc.meminfo,\\"SwapTotal:\s+(?P\d+)" max_match=1 | eval Linux_swap_MB=round(Linux_swap_kB/1024,0) | rex field=_raw "AAA,OS,Linux,(?P\d+.\d+).+,#" max_match=1 | rex field=_raw "AAA,OS,Linux,(?P.+),#" max_match=1 | rex field=_raw "AAA,OS,Linux,(?P.+)" max_match=1 | rex field=_raw "AAA,OS,Solaris,(?P.+)" max_match=1 | rex field=_raw "AAA,OS,Solaris,.+,(?P.+),.+,.+" max_match=1 | rex field=_raw "AAA,OS,Solaris,(?P.+),.+,.+,.+" max_match=1 | rex field=_raw "BBB.+,[0-9].+,.+etc+.release,\\"\s+(?P.+)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+psrinfo\s\-pv,\\"\s+(?P.+)\s*\(.+\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+psrinfo\s\-pv,.+clock\s(?P.+)\)\\"" max_match=1 | eval OStype=case(OS == "Linux", "Linux", OS == "Solaris", "Solaris", isnotnull(AIX_LEVEL), "AIX", isnull(OS), "Unknown"), OS_Level=case(isnotnull(AIX_LEVEL), AIX_LEVEL, isnotnull(Solaris_version), Solaris_version, isnotnull(Linux_distribution), Linux_distribution), cpu_cores=if(isnotnull(AIX_virtualcpus), cpu_cores_combo, cpu_cores_position1), Processor=case(isnotnull(AIX_processor), AIX_processor, isnotnull(Solaris_processor), Solaris_processor, isnotnull(Linux_processor), Linux_processor) | rename uptime AS Nmon_Config.uptime hostname AS Nmon_Config.hostname nmon_version AS Nmon_Config.nmon_version nmon_command AS Nmon_Config.nmon_command OS AS Nmon_Config.OS cpu_cores_position1 AS Nmon_Config.cpu_cores_position1 cpu_cores_position2 AS Nmon_Config.cpu_cores_position2 AIX_LEVEL AS Nmon_Config.AIX_LEVEL AIX_virtualcpus AS Nmon_Config.AIX_virtualcpus AIX_memory_MB AS Nmon_Config.AIX_memory_MB AIX_pagingspace_MB AS Nmon_Config.AIX_pagingspace_MB AIX_processor_mode AS Nmon_Config.AIX_processor_mode AIX_processor_clockspeed AS Nmon_Config.AIX_processor_clockspeed AIX_cpu_type AS Nmon_Config.AIX_cpu_type AIX_kernel_type AS Nmon_Config.AIX_kernel_type AIX_plateform_firmware_level AS Nmon_Config.AIX_plateform_firmware_level AIX_std_Machine_SerialNumber AS Nmon_Config.AIX_std_Machine_SerialNumber AIX_alt_Machine_SerialNumber AS Nmon_Config.AIX_alt_Machine_SerialNumber AIX_Machine_SerialNumber AS Nmon_Config.AIX_Machine_SerialNumber AIX_extracted_PoolID AS Nmon_Config.AIX_extracted_PoolID AIX_PoolID AS Nmon_Config.AIX_PoolID AIX_system_installed_CPUs AS Nmon_Config.AIX_system_installed_CPUs AIX_system_active_CPUs AS Nmon_Config.AIX_system_active_CPUs AIX_extracted_PoolCPUs AS Nmon_Config.AIX_extracted_PoolCPUs AIX_PoolCPUs AS Nmon_Config.AIX_PoolCPUs AIX_entitled AS Nmon_Config.AIX_entitled AIX_processor AS Nmon_Config.AIX_processor cpu_cores_combo AS Nmon_Config.cpu_cores_combo AIX_logicalcores AS Nmon_Config.AIX_logicalcores Linux_LEVEL AS Nmon_Config.Linux_LEVEL Linux_processor AS Nmon_Config.Linux_processor Linux_release_distribution AS Nmon_Config.Linux_release_distribution Linux_lsb_distribution AS Nmon_Config.Linux_lsb_distribution Linux_distribution AS Nmon_Config.Linux_distribution Linux_lsb_distibutorid AS Nmon_Config.Linux_lsb_distibutorid Linux_lsb_releaseid AS Nmon_Config.Linux_lsb_releaseid Linux_vendor AS Nmon_Config.Linux_vendor Linux_version AS Nmon_Config.Linux_version Linux_memory_kB AS Nmon_Config.Linux_memory_kB Linux_memory_MB AS Nmon_Config.Linux_memory_MB Linux_swap_kB AS Nmon_Config.Linux_swap_kB Linux_swap_MB AS Nmon_Config.Linux_swap_MB Linux_kernelversion AS Nmon_Config.Linux_kernelversion Linux_kernel AS Nmon_Config.Linux_kernel Linux_fullkernel AS Nmon_Config.Linux_fullkernel Solaris_LEVEL AS Nmon_Config.Solaris_LEVEL Solaris_kernel AS Nmon_Config.Solaris_kernel Solaris_sunOS_version AS Nmon_Config.Solaris_sunOS_version Solaris_version AS Nmon_Config.Solaris_version Solaris_processor AS Nmon_Config.Solaris_processor Solaris_processor_clockspeed AS Nmon_Config.Solaris_processor_clockspeed OStype AS Nmon_Config.OStype OS_Level AS Nmon_Config.OS_Level cpu_cores AS Nmon_Config.cpu_cores Processor AS Nmon_Config.Processor | search ( nodename=Nmon_Config )
09-25-2018 06:17:18.610 INFO  UnifiedSearch - Processed search targeting arguments
09-25-2018 06:17:18.637 INFO  UnifiedSearch - Processed search targeting arguments
09-25-2018 06:17:18.638 INFO  DispatchThread - SrchOptMetrics optimize_toJson=29
09-25-2018 06:17:18.639 INFO  ProjElim - Black listed processors=[addinfo]
09-25-2018 06:17:18.639 INFO  PredicatePushOptimizer - searchcannot be pushed through eval. Reason='nodename' is modified (Ref:'nodename')
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.AIX_LEVEL will be rewritten to Field=AIX_LEVEL
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.AIX_Machine_SerialNumber will be rewritten to Field=AIX_Machine_SerialNumber
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.AIX_PoolCPUs will be rewritten to Field=AIX_PoolCPUs
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.AIX_PoolID will be rewritten to Field=AIX_PoolID
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.AIX_alt_Machine_SerialNumber will be rewritten to Field=AIX_alt_Machine_SerialNumber
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.AIX_cpu_type will be rewritten to Field=AIX_cpu_type
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.AIX_entitled will be rewritten to Field=AIX_entitled
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.AIX_extracted_PoolCPUs will be rewritten to Field=AIX_extracted_PoolCPUs
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.AIX_extracted_PoolID will be rewritten to Field=AIX_extracted_PoolID
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.AIX_kernel_type will be rewritten to Field=AIX_kernel_type
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.AIX_logicalcores will be rewritten to Field=AIX_logicalcores
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.AIX_memory_MB will be rewritten to Field=AIX_memory_MB
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.AIX_pagingspace_MB will be rewritten to Field=AIX_pagingspace_MB
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.AIX_plateform_firmware_level will be rewritten to Field=AIX_plateform_firmware_level
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.AIX_processor will be rewritten to Field=AIX_processor
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.AIX_processor_clockspeed will be rewritten to Field=AIX_processor_clockspeed
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.AIX_processor_mode will be rewritten to Field=AIX_processor_mode
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.AIX_std_Machine_SerialNumber will be rewritten to Field=AIX_std_Machine_SerialNumber
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.AIX_system_active_CPUs will be rewritten to Field=AIX_system_active_CPUs
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.AIX_system_installed_CPUs will be rewritten to Field=AIX_system_installed_CPUs
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.AIX_virtualcpus will be rewritten to Field=AIX_virtualcpus
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.Linux_LEVEL will be rewritten to Field=Linux_LEVEL
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.Linux_distribution will be rewritten to Field=Linux_distribution
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.Linux_fullkernel will be rewritten to Field=Linux_fullkernel
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.Linux_kernel will be rewritten to Field=Linux_kernel
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.Linux_kernelversion will be rewritten to Field=Linux_kernelversion
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.Linux_lsb_distibutorid will be rewritten to Field=Linux_lsb_distibutorid
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.Linux_lsb_distribution will be rewritten to Field=Linux_lsb_distribution
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.Linux_lsb_releaseid will be rewritten to Field=Linux_lsb_releaseid
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.Linux_memory_MB will be rewritten to Field=Linux_memory_MB
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.Linux_memory_kB will be rewritten to Field=Linux_memory_kB
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.Linux_processor will be rewritten to Field=Linux_processor
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.Linux_release_distribution will be rewritten to Field=Linux_release_distribution
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.Linux_swap_MB will be rewritten to Field=Linux_swap_MB
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.Linux_swap_kB will be rewritten to Field=Linux_swap_kB
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.Linux_vendor will be rewritten to Field=Linux_vendor
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.Linux_version will be rewritten to Field=Linux_version
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.OS will be rewritten to Field=OS
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.OS_Level will be rewritten to Field=OS_Level
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.OStype will be rewritten to Field=OStype
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.Processor will be rewritten to Field=Processor
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.Solaris_LEVEL will be rewritten to Field=Solaris_LEVEL
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.Solaris_kernel will be rewritten to Field=Solaris_kernel
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.Solaris_processor will be rewritten to Field=Solaris_processor
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.Solaris_processor_clockspeed will be rewritten to Field=Solaris_processor_clockspeed
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.Solaris_sunOS_version will be rewritten to Field=Solaris_sunOS_version
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.Solaris_version will be rewritten to Field=Solaris_version
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.cpu_cores will be rewritten to Field=cpu_cores
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.cpu_cores_combo will be rewritten to Field=cpu_cores_combo
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.cpu_cores_position1 will be rewritten to Field=cpu_cores_position1
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.cpu_cores_position2 will be rewritten to Field=cpu_cores_position2
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.hostname will be rewritten to Field=hostname
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.nmon_command will be rewritten to Field=nmon_command
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.nmon_version will be rewritten to Field=nmon_version
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.uptime will be rewritten to Field=uptime
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.AIX_LEVEL will be rewritten to Field=AIX_LEVEL
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.AIX_Machine_SerialNumber will be rewritten to Field=AIX_Machine_SerialNumber
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.AIX_PoolCPUs will be rewritten to Field=AIX_PoolCPUs
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.AIX_PoolID will be rewritten to Field=AIX_PoolID
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.AIX_alt_Machine_SerialNumber will be rewritten to Field=AIX_alt_Machine_SerialNumber
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.AIX_cpu_type will be rewritten to Field=AIX_cpu_type
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.AIX_entitled will be rewritten to Field=AIX_entitled
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.AIX_extracted_PoolCPUs will be rewritten to Field=AIX_extracted_PoolCPUs
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.AIX_extracted_PoolID will be rewritten to Field=AIX_extracted_PoolID
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.AIX_kernel_type will be rewritten to Field=AIX_kernel_type
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.AIX_logicalcores will be rewritten to Field=AIX_logicalcores
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.AIX_memory_MB will be rewritten to Field=AIX_memory_MB
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.AIX_pagingspace_MB will be rewritten to Field=AIX_pagingspace_MB
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.AIX_plateform_firmware_level will be rewritten to Field=AIX_plateform_firmware_level
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.AIX_processor will be rewritten to Field=AIX_processor
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.AIX_processor_clockspeed will be rewritten to Field=AIX_processor_clockspeed
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.AIX_processor_mode will be rewritten to Field=AIX_processor_mode
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.AIX_std_Machine_SerialNumber will be rewritten to Field=AIX_std_Machine_SerialNumber
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.AIX_system_active_CPUs will be rewritten to Field=AIX_system_active_CPUs
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.AIX_system_installed_CPUs will be rewritten to Field=AIX_system_installed_CPUs
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.AIX_virtualcpus will be rewritten to Field=AIX_virtualcpus
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.Linux_LEVEL will be rewritten to Field=Linux_LEVEL
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.Linux_distribution will be rewritten to Field=Linux_distribution
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.Linux_fullkernel will be rewritten to Field=Linux_fullkernel
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.Linux_kernel will be rewritten to Field=Linux_kernel
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.Linux_kernelversion will be rewritten to Field=Linux_kernelversion
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.Linux_lsb_distibutorid will be rewritten to Field=Linux_lsb_distibutorid
09-25-2018 06:17:18.639 INFO  AstVisitorFactory - Field=Nmon_Config.Linux_lsb_distribution will be rewritten to Field=Linux_lsb_distribution
09-25-2018 06:17:18.640 INFO  AstVisitorFactory - Field=Nmon_Config.Linux_lsb_releaseid will be rewritten to Field=Linux_lsb_releaseid
09-25-2018 06:17:18.640 INFO  AstVisitorFactory - Field=Nmon_Config.Linux_memory_MB will be rewritten to Field=Linux_memory_MB
09-25-2018 06:17:18.640 INFO  AstVisitorFactory - Field=Nmon_Config.Linux_memory_kB will be rewritten to Field=Linux_memory_kB
09-25-2018 06:17:18.640 INFO  AstVisitorFactory - Field=Nmon_Config.Linux_processor will be rewritten to Field=Linux_processor
09-25-2018 06:17:18.640 INFO  AstVisitorFactory - Field=Nmon_Config.Linux_release_distribution will be rewritten to Field=Linux_release_distribution
09-25-2018 06:17:18.640 INFO  AstVisitorFactory - Field=Nmon_Config.Linux_swap_MB will be rewritten to Field=Linux_swap_MB
09-25-2018 06:17:18.640 INFO  AstVisitorFactory - Field=Nmon_Config.Linux_swap_kB will be rewritten to Field=Linux_swap_kB
09-25-2018 06:17:18.640 INFO  AstVisitorFactory - Field=Nmon_Config.Linux_vendor will be rewritten to Field=Linux_vendor
09-25-2018 06:17:18.640 INFO  AstVisitorFactory - Field=Nmon_Config.Linux_version will be rewritten to Field=Linux_version
09-25-2018 06:17:18.640 INFO  AstVisitorFactory - Field=Nmon_Config.OS will be rewritten to Field=OS
09-25-2018 06:17:18.640 INFO  AstVisitorFactory - Field=Nmon_Config.OS_Level will be rewritten to Field=OS_Level
09-25-2018 06:17:18.640 INFO  AstVisitorFactory - Field=Nmon_Config.OStype will be rewritten to Field=OStype
09-25-2018 06:17:18.640 INFO  AstVisitorFactory - Field=Nmon_Config.Processor will be rewritten to Field=Processor
09-25-2018 06:17:18.640 INFO  AstVisitorFactory - Field=Nmon_Config.Solaris_LEVEL will be rewritten to Field=Solaris_LEVEL
09-25-2018 06:17:18.640 INFO  AstVisitorFactory - Field=Nmon_Config.Solaris_kernel will be rewritten to Field=Solaris_kernel
09-25-2018 06:17:18.640 INFO  AstVisitorFactory - Field=Nmon_Config.Solaris_processor will be rewritten to Field=Solaris_processor
09-25-2018 06:17:18.640 INFO  AstVisitorFactory - Field=Nmon_Config.Solaris_processor_clockspeed will be rewritten to Field=Solaris_processor_clockspeed
09-25-2018 06:17:18.640 INFO  AstVisitorFactory - Field=Nmon_Config.Solaris_sunOS_version will be rewritten to Field=Solaris_sunOS_version
09-25-2018 06:17:18.640 INFO  AstVisitorFactory - Field=Nmon_Config.Solaris_version will be rewritten to Field=Solaris_version
09-25-2018 06:17:18.640 INFO  AstVisitorFactory - Field=Nmon_Config.cpu_cores will be rewritten to Field=cpu_cores
09-25-2018 06:17:18.640 INFO  AstVisitorFactory - Field=Nmon_Config.cpu_cores_combo will be rewritten to Field=cpu_cores_combo
09-25-2018 06:17:18.640 INFO  AstVisitorFactory - Field=Nmon_Config.cpu_cores_position1 will be rewritten to Field=cpu_cores_position1
09-25-2018 06:17:18.640 INFO  AstVisitorFactory - Field=Nmon_Config.cpu_cores_position2 will be rewritten to Field=cpu_cores_position2
09-25-2018 06:17:18.640 INFO  AstVisitorFactory - Field=Nmon_Config.hostname will be rewritten to Field=hostname
09-25-2018 06:17:18.640 INFO  AstVisitorFactory - Field=Nmon_Config.nmon_command will be rewritten to Field=nmon_command
09-25-2018 06:17:18.640 INFO  AstVisitorFactory - Field=Nmon_Config.nmon_version will be rewritten to Field=nmon_version
09-25-2018 06:17:18.640 INFO  AstVisitorFactory - Field=Nmon_Config.uptime will be rewritten to Field=uptime
09-25-2018 06:17:18.640 INFO  DispatchThread - SrchOptMetrics optimization=3
09-25-2018 06:17:18.640 INFO  SearchPipeline - Command='search' doesnt have raw field 
09-25-2018 06:17:18.642 INFO  SearchPipeline - Command='eval' doesnt have raw field 
09-25-2018 06:17:18.642 INFO  SearchPipeline - Command='search' doesnt have raw field 
09-25-2018 06:17:18.642 INFO  SearchPipeline - Command='eval' doesnt have raw field 
09-25-2018 06:17:18.642 INFO  SearchPipeline - Command='eval' doesnt have raw field 
09-25-2018 06:17:18.642 INFO  SearchPipeline - Command='eval' doesnt have raw field 
09-25-2018 06:17:18.642 INFO  SearchPipeline - Command='eval' doesnt have raw field 
09-25-2018 06:17:18.642 INFO  SearchPipeline - Command='eval' doesnt have raw field 
09-25-2018 06:17:18.642 INFO  SearchPipeline - Command='eval' doesnt have raw field 
09-25-2018 06:17:18.642 INFO  SearchPipeline - Command='eval' doesnt have raw field 
09-25-2018 06:17:18.642 INFO  SearchPipeline - Command='eval' doesnt have raw field 
09-25-2018 06:17:18.642 INFO  SearchPipeline - Command='eval' doesnt have raw field 
09-25-2018 06:17:18.642 INFO  SearchPipeline - Command='rename' doesnt have raw field 
09-25-2018 06:17:18.642 INFO  DispatchThread - Optimized Search = | search (eventtype=nmon:config (index=* OR index=)) | eval nodename="Nmon_Config"| search nodename=Nmon_Config | rex field=_raw "(?i),host,(?P.+)" max_match=1 | rex field=_raw "(?i),version,(?P.+)" max_match=1 | rex field=_raw "(?i),command,(?P.+)" max_match=1 | rex field=_raw "(?i),OS,(?P[^,]+)" max_match=1 | rex field=_raw "AAA,cpus,(?P\d+)" max_match=1 | rex field=_raw "AAA,cpus,\d+,(?P\d+)" max_match=1 | rex field=_raw "AAA,AIX,(?P.+)" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lparstat.+,\\"Online\sVirtual\sCPUs\s+\:\s(?P\d+)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,online\sMemory,(?P\d+)" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lsconf,\\"\s+Total\sPaging\sSpace:\s(?P\d+)" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lsconf,\\"Processor\sImplementation\sMode:\s(?P.+\w)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lsconf,\\"Processor\sClock\sSpeed:\s(?P.+\w)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lsconf,\\"CPU\sType:\s(?P.+\w)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lsconf,\\"Kernel\sType:\s(?P.+\w)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lsconf,\\"Platform\sFirmware\slevel:\s(?P.+\w)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lsconf,\\"Machine\sSerial\sNumber:\s(?P.+)\\"" max_match=1 | rex field=_raw "AAA,SerialNumber,(?P\w+)" max_match=1 | eval AIX_Machine_SerialNumber=if(isnotnull(AIX_std_Machine_SerialNumber),AIX_std_Machine_SerialNumber,AIX_alt_Machine_SerialNumber) | rex field=_raw "BBB.+,[0-9].+,lparstat.+,\\"Shared\sPool\sID\s+\:\s(?P.+)\\"" max_match=1 | eval AIX_PoolID=if((AIX_extracted_PoolID == "-"),"N/A",AIX_extracted_PoolID) | rex field=_raw "BBB.+,[0-9].+,lparstat.+,\\"Maximum\sPhysical\sCPUs\sin\ssystem\s+\:\s(?P.+)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lparstat.+,\\"Active\sPhysical\sCPUs\sin\ssystem\s+\:\s(?P.+)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lparstat.+,\\"Active\sCPUs\sin\sPool\s+\:\s(?P.+)\\"" max_match=1 | eval AIX_PoolCPUs=if((AIX_extracted_PoolCPUs == "-"),"N/A",AIX_extracted_PoolCPUs) | rex field=_raw "BBB.+,[0-9].+,lparstat.+,\\"Entitled\sCapacity\s+\:\s(?P.+)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lsconf,\\"Processor\sType:\s(?P.+\w)\\"" max_match=1 | eval cpu_cores_combo=((AIX_virtualcpus + " / ") + cpu_cores_position2), AIX_logicalcores=if(isnotnull(cpu_cores_position2),cpu_cores_position2,cpu_cores_position1) | rex field=_raw "AAA,OS,Linux,(?P.+)" max_match=1 | rex field=_raw "BBB.+,[0-9].+cpuinfo,.+model\sname.+:\s+(?P.+)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,.+etc+.release,\\"(?!LSB_VERSION|DISTRIB|NAME|ID|VERSION)(?P.+)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lsb_release,\\"Description:\s(?.+)\\"" max_match=1 | eval Linux_distribution=if(isnotnull(Linux_lsb_distribution),Linux_lsb_distribution,Linux_release_distribution) | rex field=raw "BBB.+,[0-9].+,lsb_release,\\"Distributor\s*ID:\s*(?.+)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lsb_release,\\"Release:\s*(?.+)\\"" max_match=1 | eval Linux_vendor=if(isnotnull(Linux_lsb_distibutorid),Linux_lsb_distibutorid,"Undeterminated") | rex field=_raw "BBB.+,[0-9].+,lsb\_release,\\"Release:\s+(?P.+)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,.proc.meminfo,\\"MemTotal:\s+(?P\d+)" max_match=1 | eval Linux_memory_MB=round((Linux_memory_kB / 1024),0) | rex field=_raw "BBB.+,[0-9].+,.proc.meminfo,\\"SwapTotal:\s+(?P\d+)" max_match=1 | eval Linux_swap_MB=round((Linux_swap_kB / 1024),0) | rex field=_raw "AAA,OS,Linux,(?P\d+.\d+).+,#" max_match=1 | rex field=_raw "AAA,OS,Linux,(?P.+),#" max_match=1 | rex field=_raw "AAA,OS,Linux,(?P.+)" max_match=1 | rex field=_raw "AAA,OS,Solaris,(?P.+)" max_match=1 | rex field=_raw "AAA,OS,Solaris,.+,(?P.+),.+,.+" max_match=1 | rex field=_raw "AAA,OS,Solaris,(?P.+),.+,.+,.+" max_match=1 | rex field=_raw "BBB.+,[0-9].+,.+etc+.release,\\"\s+(?P.+)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+psrinfo\s\-pv,\\"\s+(?P.+)\s*\(.+\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+psrinfo\s\-pv,.+clock\s(?P.+)\)\\"" max_match=1 | eval OStype=case((OS == "Linux"),"Linux",(OS == "Solaris"),"Solaris",isnotnull(AIX_LEVEL),"AIX",isnull(OS),"Unknown"), OS_Level=case(isnotnull(AIX_LEVEL),AIX_LEVEL,isnotnull(Solaris_version),Solaris_version,isnotnull(Linux_distribution),Linux_distribution), cpu_cores=if(isnotnull(AIX_virtualcpus),cpu_cores_combo,cpu_cores_position1), Processor=case(isnotnull(AIX_processor),AIX_processor,isnotnull(Solaris_processor),Solaris_processor,isnotnull(Linux_processor),Linux_processor) | rename AIX_LEVEL as "Nmon_Config.AIX_LEVEL", AIX_Machine_SerialNumber as "Nmon_Config.AIX_Machine_SerialNumber", AIX_PoolCPUs as "Nmon_Config.AIX_PoolCPUs", AIX_PoolID as "Nmon_Config.AIX_PoolID", AIX_alt_Machine_SerialNumber as "Nmon_Config.AIX_alt_Machine_SerialNumber", AIX_cpu_type as "Nmon_Config.AIX_cpu_type", AIX_entitled as "Nmon_Config.AIX_entitled", AIX_extracted_PoolCPUs as "Nmon_Config.AIX_extracted_PoolCPUs", AIX_extracted_PoolID as "Nmon_Config.AIX_extracted_PoolID", AIX_kernel_type as "Nmon_Config.AIX_kernel_type", AIX_logicalcores as "Nmon_Config.AIX_logicalcores", AIX_memory_MB as "Nmon_Config.AIX_memory_MB", AIX_pagingspace_MB as "Nmon_Config.AIX_pagingspace_MB", AIX_plateform_firmware_level as "Nmon_Config.AIX_plateform_firmware_level", AIX_processor as "Nmon_Config.AIX_processor", AIX_processor_clockspeed as "Nmon_Config.AIX_processor_clockspeed", AIX_processor_mode as "Nmon_Config.AIX_processor_mode", AIX_std_Machine_SerialNumber as "Nmon_Config.AIX_std_Machine_SerialNumber", AIX_system_active_CPUs as "Nmon_Config.AIX_system_active_CPUs", AIX_system_installed_CPUs as "Nmon_Config.AIX_system_installed_CPUs", AIX_virtualcpus as "Nmon_Config.AIX_virtualcpus", Linux_LEVEL as "Nmon_Config.Linux_LEVEL", Linux_distribution as "Nmon_Config.Linux_distribution", Linux_fullkernel as "Nmon_Config.Linux_fullkernel", Linux_kernel as "Nmon_Config.Linux_kernel", Linux_kernelversion as "Nmon_Config.Linux_kernelversion", Linux_lsb_distibutorid as "Nmon_Config.Linux_lsb_distibutorid", Linux_lsb_distribution as "Nmon_Config.Linux_lsb_distribution", Linux_lsb_releaseid as "Nmon_Config.Linux_lsb_releaseid", Linux_memory_MB as "Nmon_Config.Linux_memory_MB", Linux_memory_kB as "Nmon_Config.Linux_memory_kB", Linux_processor as "Nmon_Config.Linux_processor", Linux_release_distribution as "Nmon_Config.Linux_release_distribution", Linux_swap_MB as "Nmon_Config.Linux_swap_MB", Linux_swap_kB as "Nmon_Config.Linux_swap_kB", Linux_vendor as "Nmon_Config.Linux_vendor", Linux_version as "Nmon_Config.Linux_version", OS as "Nmon_Config.OS", OS_Level as "Nmon_Config.OS_Level", OStype as "Nmon_Config.OStype", Processor as "Nmon_Config.Processor", Solaris_LEVEL as "Nmon_Config.Solaris_LEVEL", Solaris_kernel as "Nmon_Config.Solaris_kernel", Solaris_processor as "Nmon_Config.Solaris_processor", Solaris_processor_clockspeed as "Nmon_Config.Solaris_processor_clockspeed", Solaris_sunOS_version as "Nmon_Config.Solaris_sunOS_version", Solaris_version as "Nmon_Config.Solaris_version", cpu_cores as "Nmon_Config.cpu_cores", cpu_cores_combo as "Nmon_Config.cpu_cores_combo", cpu_cores_position1 as "Nmon_Config.cpu_cores_position1", cpu_cores_position2 as "Nmon_Config.cpu_cores_position2", hostname as "Nmon_Config.hostname", nmon_command as "Nmon_Config.nmon_command", nmon_version as "Nmon_Config.nmon_version", uptime as "Nmon_Config.uptime"
09-25-2018 06:17:18.642 INFO  DispatchThread - SrchOptMetrics fromJsontoSpl=2
09-25-2018 06:17:18.643 INFO  SearchParser - PARSING: | search (eventtype=nmon:config (index=* OR index=)) | eval nodename="Nmon_Config"| search nodename=Nmon_Config | rex field=_raw "(?i),host,(?P.+)" max_match=1 | rex field=_raw "(?i),version,(?P.+)" max_match=1 | rex field=_raw "(?i),command,(?P.+)" max_match=1 | rex field=_raw "(?i),OS,(?P[^,]+)" max_match=1 | rex field=_raw "AAA,cpus,(?P\d+)" max_match=1 | rex field=_raw "AAA,cpus,\d+,(?P\d+)" max_match=1 | rex field=_raw "AAA,AIX,(?P.+)" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lparstat.+,\\"Online\sVirtual\sCPUs\s+\:\s(?P\d+)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,online\sMemory,(?P\d+)" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lsconf,\\"\s+Total\sPaging\sSpace:\s(?P\d+)" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lsconf,\\"Processor\sImplementation\sMode:\s(?P.+\w)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lsconf,\\"Processor\sClock\sSpeed:\s(?P.+\w)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lsconf,\\"CPU\sType:\s(?P.+\w)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lsconf,\\"Kernel\sType:\s(?P.+\w)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lsconf,\\"Platform\sFirmware\slevel:\s(?P.+\w)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lsconf,\\"Machine\sSerial\sNumber:\s(?P.+)\\"" max_match=1 | rex field=_raw "AAA,SerialNumber,(?P\w+)" max_match=1 | eval AIX_Machine_SerialNumber=if(isnotnull(AIX_std_Machine_SerialNumber),AIX_std_Machine_SerialNumber,AIX_alt_Machine_SerialNumber) | rex field=_raw "BBB.+,[0-9].+,lparstat.+,\\"Shared\sPool\sID\s+\:\s(?P.+)\\"" max_match=1 | eval AIX_PoolID=if((AIX_extracted_PoolID == "-"),"N/A",AIX_extracted_PoolID) | rex field=_raw "BBB.+,[0-9].+,lparstat.+,\\"Maximum\sPhysical\sCPUs\sin\ssystem\s+\:\s(?P.+)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lparstat.+,\\"Active\sPhysical\sCPUs\sin\ssystem\s+\:\s(?P.+)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lparstat.+,\\"Active\sCPUs\sin\sPool\s+\:\s(?P.+)\\"" max_match=1 | eval AIX_PoolCPUs=if((AIX_extracted_PoolCPUs == "-"),"N/A",AIX_extracted_PoolCPUs) | rex field=_raw "BBB.+,[0-9].+,lparstat.+,\\"Entitled\sCapacity\s+\:\s(?P.+)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lsconf,\\"Processor\sType:\s(?P.+\w)\\"" max_match=1 | eval cpu_cores_combo=((AIX_virtualcpus + " / ") + cpu_cores_position2), AIX_logicalcores=if(isnotnull(cpu_cores_position2),cpu_cores_position2,cpu_cores_position1) | rex field=_raw "AAA,OS,Linux,(?P.+)" max_match=1 | rex field=_raw "BBB.+,[0-9].+cpuinfo,.+model\sname.+:\s+(?P.+)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,.+etc+.release,\\"(?!LSB_VERSION|DISTRIB|NAME|ID|VERSION)(?P.+)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lsb_release,\\"Description:\s(?.+)\\"" max_match=1 | eval Linux_distribution=if(isnotnull(Linux_lsb_distribution),Linux_lsb_distribution,Linux_release_distribution) | rex field=raw "BBB.+,[0-9].+,lsb_release,\\"Distributor\s*ID:\s*(?.+)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,lsb_release,\\"Release:\s*(?.+)\\"" max_match=1 | eval Linux_vendor=if(isnotnull(Linux_lsb_distibutorid),Linux_lsb_distibutorid,"Undeterminated") | rex field=_raw "BBB.+,[0-9].+,lsb\_release,\\"Release:\s+(?P.+)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+,.proc.meminfo,\\"MemTotal:\s+(?P\d+)" max_match=1 | eval Linux_memory_MB=round((Linux_memory_kB / 1024),0) | rex field=_raw "BBB.+,[0-9].+,.proc.meminfo,\\"SwapTotal:\s+(?P\d+)" max_match=1 | eval Linux_swap_MB=round((Linux_swap_kB / 1024),0) | rex field=_raw "AAA,OS,Linux,(?P\d+.\d+).+,#" max_match=1 | rex field=_raw "AAA,OS,Linux,(?P.+),#" max_match=1 | rex field=_raw "AAA,OS,Linux,(?P.+)" max_match=1 | rex field=_raw "AAA,OS,Solaris,(?P.+)" max_match=1 | rex field=_raw "AAA,OS,Solaris,.+,(?P.+),.+,.+" max_match=1 | rex field=_raw "AAA,OS,Solaris,(?P.+),.+,.+,.+" max_match=1 | rex field=_raw "BBB.+,[0-9].+,.+etc+.release,\\"\s+(?P.+)\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+psrinfo\s\-pv,\\"\s+(?P.+)\s*\(.+\\"" max_match=1 | rex field=_raw "BBB.+,[0-9].+psrinfo\s\-pv,.+clock\s(?P.+)\)\\"" max_match=1 | eval OStype=case((OS == "Linux"),"Linux",(OS == "Solaris"),"Solaris",isnotnull(AIX_LEVEL),"AIX",isnull(OS),"Unknown"), OS_Level=case(isnotnull(AIX_LEVEL),AIX_LEVEL,isnotnull(Solaris_version),Solaris_version,isnotnull(Linux_distribution),Linux_distribution), cpu_cores=if(isnotnull(AIX_virtualcpus),cpu_cores_combo,cpu_cores_position1), Processor=case(isnotnull(AIX_processor),AIX_processor,isnotnull(Solaris_processor),Solaris_processor,isnotnull(Linux_processor),Linux_processor) | rename AIX_LEVEL as "Nmon_Config.AIX_LEVEL", AIX_Machine_SerialNumber as "Nmon_Config.AIX_Machine_SerialNumber", AIX_PoolCPUs as "Nmon_Config.AIX_PoolCPUs", AIX_PoolID as "Nmon_Config.AIX_PoolID", AIX_alt_Machine_SerialNumber as "Nmon_Config.AIX_alt_Machine_SerialNumber", AIX_cpu_type as "Nmon_Config.AIX_cpu_type", AIX_entitled as "Nmon_Config.AIX_entitled", AIX_extracted_PoolCPUs as "Nmon_Config.AIX_extracted_PoolCPUs", AIX_extracted_PoolID as "Nmon_Config.AIX_extracted_PoolID", AIX_kernel_type as "Nmon_Config.AIX_kernel_type", AIX_logicalcores as "Nmon_Config.AIX_logicalcores", AIX_memory_MB as "Nmon_Config.AIX_memory_MB", AIX_pagingspace_MB as "Nmon_Config.AIX_pagingspace_MB", AIX_plateform_firmware_level as "Nmon_Config.AIX_plateform_firmware_level", AIX_processor as "Nmon_Config.AIX_processor", AIX_processor_clockspeed as "Nmon_Config.AIX_processor_clockspeed", AIX_processor_mode as "Nmon_Config.AIX_processor_mode", AIX_std_Machine_SerialNumber as "Nmon_Config.AIX_std_Machine_SerialNumber", AIX_system_active_CPUs as "Nmon_Config.AIX_system_active_CPUs", AIX_system_installed_CPUs as "Nmon_Config.AIX_system_installed_CPUs", AIX_virtualcpus as "Nmon_Config.AIX_virtualcpus", Linux_LEVEL as "Nmon_Config.Linux_LEVEL", Linux_distribution as "Nmon_Config.Linux_distribution", Linux_fullkernel as "Nmon_Config.Linux_fullkernel", Linux_kernel as "Nmon_Config.Linux_kernel", Linux_kernelversion as "Nmon_Config.Linux_kernelversion", Linux_lsb_distibutorid as "Nmon_Config.Linux_lsb_distibutorid", Linux_lsb_distribution as "Nmon_Config.Linux_lsb_distribution", Linux_lsb_releaseid as "Nmon_Config.Linux_lsb_releaseid", Linux_memory_MB as "Nmon_Config.Linux_memory_MB", Linux_memory_kB as "Nmon_Config.Linux_memory_kB", Linux_processor as "Nmon_Config.Linux_processor", Linux_release_distribution as "Nmon_Config.Linux_release_distribution", Linux_swap_MB as "Nmon_Config.Linux_swap_MB", Linux_swap_kB as "Nmon_Config.Linux_swap_kB", Linux_vendor as "Nmon_Config.Linux_vendor", Linux_version as "Nmon_Config.Linux_version", OS as "Nmon_Config.OS", OS_Level as "Nmon_Config.OS_Level", OStype as "Nmon_Config.OStype", Processor as "Nmon_Config.Processor", Solaris_LEVEL as "Nmon_Config.Solaris_LEVEL", Solaris_kernel as "Nmon_Config.Solaris_kernel", Solaris_processor as "Nmon_Config.Solaris_processor", Solaris_processor_clockspeed as "Nmon_Config.Solaris_processor_clockspeed", Solaris_sunOS_version as "Nmon_Config.Solaris_sunOS_version", Solaris_version as "Nmon_Config.Solaris_version", cpu_cores as "Nmon_Config.cpu_cores", cpu_cores_combo as "Nmon_Config.cpu_cores_combo", cpu_cores_position1 as "Nmon_Config.cpu_cores_position1", cpu_cores_position2 as "Nmon_Config.cpu_cores_position2", hostname as "Nmon_Config.hostname", nmon_command as "Nmon_Config.nmon_command", nmon_version as "Nmon_Config.nmon_version", uptime as "Nmon_Config.uptime"
09-25-2018 06:17:18.662 INFO  SearchProcessor - Building search filter
09-25-2018 06:17:18.693 INFO  LookupOperator - Using wildcard matching for field 'host' in lookup table 'dropdownsLookup'
09-25-2018 06:17:18.693 INFO  LookupOperator - Loading lookup table='dropdownsLookup', file size=2301, modtime=1537833607
09-25-2018 06:17:18.694 INFO  LookupOperator - Loading lookup table='nix_endpoint_change_action_lookup', file size=186, modtime=1500632298
09-25-2018 06:17:18.694 INFO  LookupOperator - Loading lookup table='nix_endpoint_change_fs_notification_object_category_lookup', file size=57, modtime=1500632298
09-25-2018 06:17:18.694 INFO  LookupOperator - Loading lookup table='nix_action_lookup', file size=413, modtime=1500632298
09-25-2018 06:17:18.695 INFO  LookupOperator - Loading lookup table='nmon_inventory', file size=0, modtime=1537855205
09-25-2018 06:17:18.695 INFO  LookupOperator - Loading lookup table='ossec_action_lookup', file size=779, modtime=1500632289
09-25-2018 06:17:18.695 INFO  LookupOperator - Loading lookup table='ossec_object_category_lookup', file size=217, modtime=1500632289
09-25-2018 06:17:18.695 INFO  LookupOperator - Loading lookup table='ossec_severities_lookup', file size=180, modtime=1500632289
09-25-2018 06:17:18.696 INFO  LookupOperator - Loading lookup table='rsa_securid_change_status_lookup', file size=54, modtime=1500632290
09-25-2018 06:17:18.696 INFO  LookupOperator - Loading lookup table='rsa_securid_severity_lookup_lookup', file size=84, modtime=1500632290
09-25-2018 06:17:18.696 INFO  LookupOperator - Loading lookup table='rsa_securid_actions_lookup', file size=137, modtime=1500632290
09-25-2018 06:17:18.698 INFO  LookupOperator - Using wildcard matching for field 'category_id' in lookup table 'websense_categories_lookup'
09-25-2018 06:17:18.698 INFO  LookupOperator - Loading lookup table='websense_categories_lookup', file size=6061, modtime=1500632291
09-25-2018 06:17:18.698 INFO  LookupOperator - Loading lookup table='websense_action_lookup', file size=54, modtime=1500632291
09-25-2018 06:17:18.698 INFO  LookupOperator - Using wildcard matching for field 'status' in lookup table 'websense_http_statuses_lookup'
09-25-2018 06:17:18.698 INFO  LookupOperator - Loading lookup table='websense_http_statuses_lookup', file size=1355, modtime=1500632291
09-25-2018 06:17:18.699 INFO  LookupOperator - Loading lookup table='websense_severity_lookup', file size=119, modtime=1500632291
09-25-2018 06:17:18.906 INFO  UnifiedSearch - Expanded index search = (index=nmon sourcetype=nmon_config (index=* OR index=))
09-25-2018 06:17:18.906 INFO  UnifiedSearch - base lispy: [ AND index::nmon sourcetype::nmon_config [ OR index:: index::* ] ]
09-25-2018 06:17:18.908 INFO  UserManager - Setting user context: admin
09-25-2018 06:17:18.908 INFO  UserManager - Done setting user context: admin -> admin
09-25-2018 06:17:18.908 INFO  FastSearchFilter - Finished initializing IndexScopedFilter - trivial=0, nTerms=0, oTerms=0, host=0, source=0, sourcetype=1, linecount=0 exactCustomCmp=0
09-25-2018 06:17:18.908 INFO  UserManager - Unwound user context: admin -> admin
09-25-2018 06:17:18.908 INFO  BatchSearch - Using Batch Search
09-25-2018 06:17:18.908 INFO  BatchSearch - Clearing any DDM references
09-25-2018 06:17:18.908 INFO  BatchSearch - index: nmon dbsize=0
09-25-2018 06:17:18.908 INFO  UnifiedSearch - Initialization of search data structures took 3 ms
09-25-2018 06:17:18.909 INFO  UnifiedSearch - Processed search targeting arguments
09-25-2018 06:17:18.909 INFO  UnifiedSearch - Processed search targeting arguments
09-25-2018 06:17:18.910 INFO  SearchParser - PARSING: litsearch (index=nmon sourcetype=nmon_config (index=* OR index=)) | eval  nodename="Nmon_Config" | search nodename=Nmon_Config  | rex  field=_raw "(?i),host,(?P.+)" max_match=1  | rex  field=_raw "(?i),version,(?P.+)" max_match=1  | rex  field=_raw "(?i),command,(?P.+)" max_match=1  | rex  field=_raw "(?i),OS,(?P[^,]+)" max_match=1  | rex  field=_raw "AAA,cpus,(?P\d+)" max_match=1  | rex  field=_raw "AAA,cpus,\d+,(?P\d+)" max_match=1  | rex  field=_raw "AAA,AIX,(?P.+)" max_match=1  | rex  field=_raw "BBB.+,[0-9].+,lparstat.+,\\"Online\sVirtual\sCPUs\s+\:\s(?P\d+)\\"" max_match=1  | rex  field=_raw "BBB.+,[0-9].+,online\sMemory,(?P\d+)" max_match=1  | rex  field=_raw "BBB.+,[0-9].+,lsconf,\\"\s+Total\sPaging\sSpace:\s(?P\d+)" max_match=1  | rex  field=_raw "BBB.+,[0-9].+,lsconf,\\"Processor\sImplementation\sMode:\s(?P.+\w)\\"" max_match=1  | rex  field=_raw "BBB.+,[0-9].+,lsconf,\\"Processor\sClock\sSpeed:\s(?P.+\w)\\"" max_match=1  | rex  field=_raw "BBB.+,[0-9].+,lsconf,\\"CPU\sType:\s(?P.+\w)\\"" max_match=1  | rex  field=_raw "BBB.+,[0-9].+,lsconf,\\"Kernel\sType:\s(?P.+\w)\\"" max_match=1  | rex  field=_raw "BBB.+,[0-9].+,lsconf,\\"Platform\sFirmware\slevel:\s(?P.+\w)\\"" max_match=1  | rex  field=_raw "BBB.+,[0-9].+,lsconf,\\"Machine\sSerial\sNumber:\s(?P.+)\\"" max_match=1  | rex  field=_raw "AAA,SerialNumber,(?P\w+)" max_match=1  | eval  AIX_Machine_SerialNumber=if(isnotnull(AIX_std_Machine_SerialNumber),AIX_std_Machine_SerialNumber,AIX_alt_Machine_SerialNumber)  | rex  field=_raw "BBB.+,[0-9].+,lparstat.+,\\"Shared\sPool\sID\s+\:\s(?P.+)\\"" max_match=1  | eval  AIX_PoolID=if((AIX_extracted_PoolID == "-"),"N/A",AIX_extracted_PoolID)  | rex  field=_raw "BBB.+,[0-9].+,lparstat.+,\\"Maximum\sPhysical\sCPUs\sin\ssystem\s+\:\s(?P.+)\\"" max_match=1  | rex  field=_raw "BBB.+,[0-9].+,lparstat.+,\\"Active\sPhysical\sCPUs\sin\ssystem\s+\:\s(?P.+)\\"" max_match=1  | rex  field=_raw "BBB.+,[0-9].+,lparstat.+,\\"Active\sCPUs\sin\sPool\s+\:\s(?P.+)\\"" max_match=1  | eval  AIX_PoolCPUs=if((AIX_extracted_PoolCPUs == "-"),"N/A",AIX_extracted_PoolCPUs)  | rex  field=_raw "BBB.+,[0-9].+,lparstat.+,\\"Entitled\sCapacity\s+\:\s(?P.+)\\"" max_match=1  | rex  field=_raw "BBB.+,[0-9].+,lsconf,\\"Processor\sType:\s(?P.+\w)\\"" max_match=1  | eval  cpu_cores_combo=((AIX_virtualcpus + " / ") + cpu_cores_position2), AIX_logicalcores=if(isnotnull(cpu_cores_position2),cpu_cores_position2,cpu_cores_position1)  | rex  field=_raw "AAA,OS,Linux,(?P.+)" max_match=1  | rex  field=_raw "BBB.+,[0-9].+cpuinfo,.+model\sname.+:\s+(?P.+)\\"" max_match=1  | rex  field=_raw "BBB.+,[0-9].+,.+etc+.release,\\"(?!LSB_VERSION|DISTRIB|NAME|ID|VERSION)(?P.+)\\"" max_match=1  | rex  field=_raw "BBB.+,[0-9].+,lsb_release,\\"Description:\s(?.+)\\"" max_match=1  | eval  Linux_distribution=if(isnotnull(Linux_lsb_distribution),Linux_lsb_distribution,Linux_release_distribution)  | rex  field=raw "BBB.+,[0-9].+,lsb_release,\\"Distributor\s*ID:\s*(?.+)\\"" max_match=1  | rex  field=_raw "BBB.+,[0-9].+,lsb_release,\\"Release:\s*(?.+)\\"" max_match=1  | eval  Linux_vendor=if(isnotnull(Linux_lsb_distibutorid),Linux_lsb_distibutorid,"Undeterminated")  | rex  field=_raw "BBB.+,[0-9].+,lsb\_release,\\"Release:\s+(?P.+)\\"" max_match=1  | rex  field=_raw "BBB.+,[0-9].+,.proc.meminfo,\\"MemTotal:\s+(?P\d+)" max_match=1  | eval  Linux_memory_MB=round((Linux_memory_kB / 1024),0)  | rex  field=_raw "BBB.+,[0-9].+,.proc.meminfo,\\"SwapTotal:\s+(?P\d+)" max_match=1  | eval  Linux_swap_MB=round((Linux_swap_kB / 1024),0)  | rex  field=_raw "AAA,OS,Linux,(?P\d+.\d+).+,#" max_match=1  | rex  field=_raw "AAA,OS,Linux,(?P.+),#" max_match=1  | rex  field=_raw "AAA,OS,Linux,(?P.+)" max_match=1  | rex  field=_raw "AAA,OS,Solaris,(?P.+)" max_match=1  | rex  field=_raw "AAA,OS,Solaris,.+,(?P.+),.+,.+" max_match=1  | rex  field=_raw "AAA,OS,Solaris,(?P.+),.+,.+,.+" max_match=1  | rex  field=_raw "BBB.+,[0-9].+,.+etc+.release,\\"\s+(?P.+)\\"" max_match=1  | rex  field=_raw "BBB.+,[0-9].+psrinfo\s\-pv,\\"\s+(?P.+)\s*\(.+\\"" max_match=1  | rex  field=_raw "BBB.+,[0-9].+psrinfo\s\-pv,.+clock\s(?P.+)\)\\"" max_match=1  | eval  OStype=case((OS == "Linux"),"Linux",(OS == "Solaris"),"Solaris",isnotnull(AIX_LEVEL),"AIX",isnull(OS),"Unknown"), OS_Level=case(isnotnull(AIX_LEVEL),AIX_LEVEL,isnotnull(Solaris_version),Solaris_version,isnotnull(Linux_distribution),Linux_distribution), cpu_cores=if(isnotnull(AIX_virtualcpus),cpu_cores_combo,cpu_cores_position1), Processor=case(isnotnull(AIX_processor),AIX_processor,isnotnull(Solaris_processor),Solaris_processor,isnotnull(Linux_processor),Linux_processor)  | rename  AIX_LEVEL as "Nmon_Config.AIX_LEVEL", AIX_Machine_SerialNumber as "Nmon_Config.AIX_Machine_SerialNumber", AIX_PoolCPUs as "Nmon_Config.AIX_PoolCPUs", AIX_PoolID as "Nmon_Config.AIX_PoolID", AIX_alt_Machine_SerialNumber as "Nmon_Config.AIX_alt_Machine_SerialNumber", AIX_cpu_type as "Nmon_Config.AIX_cpu_type", AIX_entitled as "Nmon_Config.AIX_entitled", AIX_extracted_PoolCPUs as "Nmon_Config.AIX_extracted_PoolCPUs", AIX_extracted_PoolID as "Nmon_Config.AIX_extracted_PoolID", AIX_kernel_type as "Nmon_Config.AIX_kernel_type", AIX_logicalcores as "Nmon_Config.AIX_logicalcores", AIX_memory_MB as "Nmon_Config.AIX_memory_MB", AIX_pagingspace_MB as "Nmon_Config.AIX_pagingspace_MB", AIX_plateform_firmware_level as "Nmon_Config.AIX_plateform_firmware_level", AIX_processor as "Nmon_Config.AIX_processor", AIX_processor_clockspeed as "Nmon_Config.AIX_processor_clockspeed", AIX_processor_mode as "Nmon_Config.AIX_processor_mode", AIX_std_Machine_SerialNumber as "Nmon_Config.AIX_std_Machine_SerialNumber", AIX_system_active_CPUs as "Nmon_Config.AIX_system_active_CPUs", AIX_system_installed_CPUs as "Nmon_Config.AIX_system_installed_CPUs", AIX_virtualcpus as "Nmon_Config.AIX_virtualcpus", Linux_LEVEL as "Nmon_Config.Linux_LEVEL", Linux_distribution as "Nmon_Config.Linux_distribution", Linux_fullkernel as "Nmon_Config.Linux_fullkernel", Linux_kernel as "Nmon_Config.Linux_kernel", Linux_kernelversion as "Nmon_Config.Linux_kernelversion", Linux_lsb_distibutorid as "Nmon_Config.Linux_lsb_distibutorid", Linux_lsb_distribution as "Nmon_Config.Linux_lsb_distribution", Linux_lsb_releaseid as "Nmon_Config.Linux_lsb_releaseid", Linux_memory_MB as "Nmon_Config.Linux_memory_MB", Linux_memory_kB as "Nmon_Config.Linux_memory_kB", Linux_processor as "Nmon_Config.Linux_processor", Linux_release_distribution as "Nmon_Config.Linux_release_distribution", Linux_swap_MB as "Nmon_Config.Linux_swap_MB", Linux_swap_kB as "Nmon_Config.Linux_swap_kB", Linux_vendor as "Nmon_Config.Linux_vendor", Linux_version as "Nmon_Config.Linux_version", OS as "Nmon_Config.OS", OS_Level as "Nmon_Config.OS_Level", OStype as "Nmon_Config.OStype", Processor as "Nmon_Config.Processor", Solaris_LEVEL as "Nmon_Config.Solaris_LEVEL", Solaris_kernel as "Nmon_Config.Solaris_kernel", Solaris_processor as "Nmon_Config.Solaris_processor", Solaris_processor_clockspeed as "Nmon_Config.Solaris_processor_clockspeed", Solaris_sunOS_version as "Nmon_Config.Solaris_sunOS_version", Solaris_version as "Nmon_Config.Solaris_version", cpu_cores as "Nmon_Config.cpu_cores", cpu_cores_combo as "Nmon_Config.cpu_cores_combo", cpu_cores_position1 as "Nmon_Config.cpu_cores_position1", cpu_cores_position2 as "Nmon_Config.cpu_cores_position2", hostname as "Nmon_Config.hostname", nmon_command as "Nmon_Config.nmon_command", nmon_version as "Nmon_Config.nmon_version", uptime as "Nmon_Config.uptime"
09-25-2018 06:17:18.929 INFO  LookupOperator - Using wildcard matching for field 'host' in lookup table 'dropdownsLookup'
09-25-2018 06:17:18.929 INFO  LookupOperator - Loading lookup table='dropdownsLookup', file size=2301, modtime=1537833607
09-25-2018 06:17:18.930 INFO  LookupOperator - Loading lookup table='nix_endpoint_change_action_lookup', file size=186, modtime=1500632298
09-25-2018 06:17:18.930 INFO  LookupOperator - Loading lookup table='nix_endpoint_change_fs_notification_object_category_lookup', file size=57, modtime=1500632298
09-25-2018 06:17:18.930 INFO  LookupOperator - Loading lookup table='nix_action_lookup', file size=413, modtime=1500632298
09-25-2018 06:17:18.931 INFO  LookupOperator - Loading lookup table='nmon_inventory', file size=0, modtime=1537855205
09-25-2018 06:17:18.931 INFO  LookupOperator - Loading lookup table='ossec_action_lookup', file size=779, modtime=1500632289
09-25-2018 06:17:18.931 INFO  LookupOperator - Loading lookup table='ossec_object_category_lookup', file size=217, modtime=1500632289
09-25-2018 06:17:18.931 INFO  LookupOperator - Loading lookup table='ossec_severities_lookup', file size=180, modtime=1500632289
09-25-2018 06:17:18.932 INFO  LookupOperator - Loading lookup table='rsa_securid_change_status_lookup', file size=54, modtime=1500632290
09-25-2018 06:17:18.932 INFO  LookupOperator - Loading lookup table='rsa_securid_severity_lookup_lookup', file size=84, modtime=1500632290
09-25-2018 06:17:18.932 INFO  LookupOperator - Loading lookup table='rsa_securid_actions_lookup', file size=137, modtime=1500632290
09-25-2018 06:17:18.934 INFO  LookupOperator - Using wildcard matching for field 'category_id' in lookup table 'websense_categories_lookup'
09-25-2018 06:17:18.934 INFO  LookupOperator - Loading lookup table='websense_categories_lookup', file size=6061, modtime=1500632291
09-25-2018 06:17:18.934 INFO  LookupOperator - Loading lookup table='websense_action_lookup', file size=54, modtime=1500632291
09-25-2018 06:17:18.934 INFO  LookupOperator - Using wildcard matching for field 'status' in lookup table 'websense_http_statuses_lookup'
09-25-2018 06:17:18.934 INFO  LookupOperator - Loading lookup table='websense_http_statuses_lookup', file size=1355, modtime=1500632291
09-25-2018 06:17:18.935 INFO  LookupOperator - Loading lookup table='websense_severity_lookup', file size=119, modtime=1500632291
09-25-2018 06:17:18.937 INFO  SearchParser - PARSING: typer | tags
09-25-2018 06:17:18.962 INFO  FastTyper - found nodes count: comparisons=100, unique_comparisons=61, terms=4, unique_terms=4, phrases=12, unique_phrases=12, total leaves=116
09-25-2018 06:17:18.970 INFO  UserManager - Setting user context: admin
09-25-2018 06:17:18.970 INFO  UserManager - Done setting user context: admin -> admin
09-25-2018 06:17:18.970 INFO  FastSearchFilter - Finished initializing IndexScopedFilter - trivial=0, nTerms=0, oTerms=0, host=0, source=0, sourcetype=1, linecount=0 exactCustomCmp=0
09-25-2018 06:17:18.970 INFO  UserManager - Unwound user context: admin -> admin
09-25-2018 06:17:18.970 INFO  BatchSearch - Using Batch Search
09-25-2018 06:17:18.970 INFO  BatchSearch - Clearing any DDM references
09-25-2018 06:17:18.970 INFO  BatchSearch - index: nmon dbsize=0
09-25-2018 06:17:18.970 INFO  UnifiedSearch - Initialization of search data structures took 34 ms
09-25-2018 06:17:18.970 INFO  UnifiedSearch - Processed search targeting arguments
09-25-2018 06:17:18.970 INFO  UnifiedSearch - Processed search targeting arguments
09-25-2018 06:17:18.972 INFO  SortOperator - maxmem = 209715200
09-25-2018 06:17:18.972 INFO  TsidxStats - Getting buckets for index=nmon
09-25-2018 06:17:18.972 INFO  TsidxStats - Using lispy:[ AND nodename::nmon_config ] query_et=1537250400 query_lt=1537856237 info._startTime=1537250400.000000 info._endTime=1537856238.000000
09-25-2018 06:17:18.972 INFO  TsidxStats - Sorting 0 buckets in time descending order
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='(?::){0}*_app_logs' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='(?i)source::....zip(.\d+)?' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='127.0.0.1' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='ActiveDirectory' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='New Text Document-too_small' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='PerformanceMonitor' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='Unix:UserAccounts' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='WinNetMonMk' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='WinPrintMon' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='WinRegistry' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='WinWinHostMon' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='singleline' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='_json' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='access_combined' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='access_combined_wcookie' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='access_common' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='alert_manager-7' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='alert_manager-too_small' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='alert_manager_controllers-too_small' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='alert_manager_eventhandler-too_small' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='alert_manager_incidentcontext-too_small' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='alert_manager_notifications-too_small' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='alert_manager_suppression_helper-2' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='alert_manager_suppression_helper-too_small' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='alert_metadata' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='alert_results' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='anaconda' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='anaconda_syslog' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='apache_error' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='asterisk_cdr' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='asterisk_event' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='asterisk_messages' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='asterisk_queue' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='backup_file' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='batch_scripts' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='breakable_text' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='catalina' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='checksplunk' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='cisco:asa' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='cisco_cdr' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='cisco_syslog' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='clavister' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='collectd_http' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='csv' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='cups_access' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='cups_error' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='db2_diag' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='default' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='delayedrule::breakable_text' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='delayedrule::syslog' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='django_access' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='django_error' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='django_service' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='dmesg' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='exchange' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='exim_main' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='exim_reject' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='export_metrics-too_small' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='fileTrackerCrcLog' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='first_install-too_small' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='nix_endpoint_change_action_lookup' for conf='fs_notification' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='fs_notification' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='nix_endpoint_change_fs_notification_object_category_lookup' for conf='fs_notification' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='ftp' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='generic_single_line' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='http_event_collector_metrics' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='ignored_type' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='iis' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='incident_change' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='jenkins-14' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='json_no_timestamp' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='known_binary' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='kvstore' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='lastlog' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='linux_audit' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='linux_bootlog' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='linux_messages_syslog' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='nix_action_lookup' for conf='linux_secure' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='linux_secure' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='log4j' because the output fields are not referenced.
09-25-2018 06:17:18.983 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='log4net_xml' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='log4php' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='manpage' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='metrics_csv' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='middleware_app_logs' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='midtier_app_logs' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='misc_text' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='mobile_access' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='mongod' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='mysql_slow' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='mysqld' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='mysqld_bin' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='mysqld_error' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='nmon:fromsyslog' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='nmon_clean:fromsyslog' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='nmon_collect:fromsyslog' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='nmon_config' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='nmon_config:fromsyslog' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='nmon_inventory' for conf='nmon_data' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='nmon_data' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='nmon_data:fromsyslog' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='nmon_processing' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='nmon_processing:fromsyslog' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='novell_groupwise' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='openioc' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='oracletype' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='ossec_action_lookup' for conf='ossec' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='ossec' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='ossec_object_category_lookup' for conf='ossec' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='ossec_severities_lookup' for conf='ossec' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='osx_asl' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='osx_crash_log' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='osx_crashreporter' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='osx_daily' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='osx_install' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='osx_monthly' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='nix_action_lookup' for conf='osx_secure' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='osx_secure' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='osx_weekly' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='osx_window_server' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='paladin-too_small' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='pdfgen-2' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='pdfgen-too_small' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='postfix_syslog' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='preprocess-Z' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='preprocess-bzip' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='preprocess-gzip' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='preprocess-tar' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='preprocess-targz' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='preprocess-winevt' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='preprocess-zip' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='procmail' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='psv' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='python_modular_input-10' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='python_modular_input-11' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='python_modular_input-12' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='python_modular_input-13' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='python_modular_input-2' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='python_modular_input-3' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='python_modular_input-4' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='python_modular_input-5' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='python_modular_input-6' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='python_modular_input-7' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='python_modular_input-8' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='python_modular_input-9' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='python_modular_input-too_small' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='python_modular_input.log' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='python_modular_input.log-10' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='python_modular_input.log-2' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='python_modular_input.log-3' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='python_modular_input.log-4' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='python_modular_input.log-5' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='python_modular_input.log-6' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='python_modular_input.log-7' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='python_modular_input.log-8' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='python_modular_input.log-9' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='rpmpkgs' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='rsa_securid_change_status_lookup' for conf='rsa:securid:admin:syslog' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='rsa_securid_severity_lookup_lookup' for conf='rsa:securid:admin:syslog' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='rsa:securid:admin:syslog' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='rsa_securid_actions_lookup' for conf='rsa:securid:runtime:syslog' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='rsa_securid_change_status_lookup' for conf='rsa:securid:runtime:syslog' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='rsa_securid_severity_lookup_lookup' for conf='rsa:securid:runtime:syslog' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='rsa:securid:runtime:syslog' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='rsa:securid:syslog' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='rsa_securid_severity_lookup_lookup' for conf='rsa:securid:system:syslog' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='rsa:securid:system:syslog' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='ruby_on_rails' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='rule::access_combined' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='rule::access_combined_wcookie' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='rule::access_common' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='rule::exim_main' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='rule::postfix_syslog' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='rule::sendmail_syslog' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='rule::snort' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='sar' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='scHeadlinesHandler-too_small' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='scheduler' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='searches' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='sendmail_syslog' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='simontest' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='snort' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='source::(?:::){0}*invocationEvents.log' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='source::...((.(bak|old))|,v|~|#)' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='source::....(0t|a|ali|asa|au|bmp|cg|cgi|class|d|dat|deb|del|dot|dvi|dylib|elc|eps|exe|ftn|gif|hlp|hqx|hs|icns|ico|inc|iso|jame|jin|jpeg|jpg|kml|la|lhs|lib|lo|lock|mcp|mid|mp3|mpg|msf|nib|o|obj|odt|ogg|ook|opt|os|pal|pbm|pdf|pem|pgm|plo|png|po|pod|pp|ppd|ppm|ppt|prc|ps|psd|psym|pyc|pyd|rast|rb|rde|rdf|rdr|rgb|ro|rpm|rsrc|so|ss|stg|strings|tdt|tif|tiff|tk|uue|vhd|xbm|xlb|xls|xlw)' because the output fields are not referenced.
09-25-2018 06:17:18.984 INFO  LookupOperator - Disabling automatic lookup of table='dropdownsLookup' for conf='source::....(? NULL
09-25-2018 06:17:18.996 INFO  UserManager - Setting user context: admin
09-25-2018 06:17:18.996 INFO  UserManager - Done setting user context: NULL -> admin
09-25-2018 06:17:18.996 INFO  UserManager - Unwound user context: admin -> NULL
09-25-2018 06:17:18.996 INFO  UserManager - Unwound user context: admin -> NULL
09-25-2018 06:17:18.996 INFO  UserManager - Unwound user context: admin -> NULL
09-25-2018 06:17:18.996 INFO  UserManager - Unwound user context: admin -> NULL
09-25-2018 06:17:18.996 INFO  UserManager - Unwound user context: admin -> NULL
09-25-2018 06:17:18.996 INFO  UserManager - Unwound user context: admin -> NULL
09-25-2018 06:17:19.011 INFO  UserManager - Unwound user context: admin -> NULL
09-25-2018 06:17:19.013 INFO  UserManager - Setting user context: admin
09-25-2018 06:17:19.013 INFO  UserManager - Done setting user context: NULL -> admin
09-25-2018 06:17:19.013 INFO  UserManager - Unwound user context: admin -> NULL
09-25-2018 06:17:19.013 INFO  DispatchManager - DispatchManager::dispatchHasFinished(id='adminadminnmon_RMD50bf1c9c79bc13548_at_1537856238_13363_D23FC9B5-262E-422F-81CF-45B5F5C63769', username='admin')
09-25-2018 06:17:19.018 INFO  UserManager - Unwound user context: admin -> NULL
 
		
		
		
		
		
	
			
		
		
			
					
		hi @venkat_16
Did the answer below help solve your problem? If so, please resolve approving it. 
If your problem is still not solved, keep us updated so that someone else can help ya.
Thanks!
Couple of stuff to make suref:
1. both Search head and Indexer are on same version
2. Bundles are the one which are used everytime you hit the search/submit. 
reduce ur bundle size by avoiding unnecessary files/lookups. 
3. Disk space, clean the old saved searches which are in pipeline from dispatch.
restart the splunk services. 
 
					
				
		
Check if all your splunk servers are at same version...i.e. check each Indexer,SH and HF splunk version is same.
Yes all the splunk servers are running at 7.0.0.
