hi, i am running a query index="dataload" in search and i want to transfer it result in empty python file ..For that i hv uploaded a python sdk and created an empty file in aap-search-bin folder.. but i dont know the correct way,how can i transfer my search result to empty python file,i hv to again perform some operation on this python file..but first want to transfer my search result in python file index="dataload" | tabel python.py like this..... ... View more

hi, i have installed python sdk and in ./splunkrc file given user name and passwd so that it can connect my splunk ..i have a index name called test. so what should be my search so that by using my python sdk i can call that index content ... View more

hi , in my log files their is field known as CPU TIME.. which has values:- Jan 16 12:51:35 Phase 1 ended (674 seconds) CPU TIME status skew vertex 0.127 [ :12] 0% DLY_INT_Aggregate.abc 3.648 [ : 1] 0% DLY_INT_Aggregate.mpp 185.167 [ :12] 2% DLY_INT_Aggregate.nhu 1132.38 [ :12] 25% DLY_INT_Aggregate.nhr like this,there 1000 number of values of differnt phases, but when i am trying to extract that by picking any of the value like 0.127 it not picking up the entire set, more over when i am extracting cpu time by passing highest value like 1132.38 it showing an error regex can be generated.. ao what should be the regex so that it can extract all the cpu fields values. ... View more

hi, these are my sample log file-: < Jul 15 23:48:33 Phase 0 running (1132 seconds) CPU Time Status Skew Vertex 0.046 [ : 1] 0% Audit.XYX 0.135 [ : 1] 0% Audit.PQR 7.955 [ :12] 0% LMNOP Data Bytes Records Status Flow 712 4 [ : : 1] 0% Audit.Flow1 712 4 [ : : 1] 0% Audit.Flow2 0 0 [ : : 12] 0% Flow_1 0 0 [ : : 12] 0% Flow_10 41,417,795 264,261 [ : : 12] 1% Flow_11 41,417,795 264,261 [ : : 12] 1% Flow_11 1,746,882,294 3,158,255 [ : : 12] 0% Flow_12 Jul 15 23:48:33 Phase 0 running (1132 seconds) CPU Time Status Skew Vertex 0.046 [ : 1] 0% Audit.XYX 0.135 [ : 1] 0% Audit.PQR 7.955 [ :12] 0% LMNOP Data Bytes Records Status Flow 712 4 [ : : 1] 0% Audit.Flow1 712 4 [ : : 1] 0% Audit.Flow2 0 0 [ : : 12] 0% Flow_1 0 0 [ : : 12] 0% Flow_10 41,417,795 264,261 [ : : 12] 1% Flow_11 41,417,795 264,261 [ : : 12] 1% Flow_11 1,746,882,294 3,158,255 [ : : 12] 0% Flow_12 Jul 15 23:48:33 Phase 0 ended (1132 seconds) CPU Time Status Skew Vertex 0.046 [ : 1] 0% Audit.XYX 0.135 [ : 1] 0% Audit.PQR 7.955 [ :12] 0% LMNOP Data Bytes Records Status Flow 712 4 [ : : 1] 0% Audit.Flow1 712 4 [ : : 1] 0% Audit.Flow2 0 0 [ : : 12] 0% Flow_1 0 0 [ : : 12] 0% Flow_10 41,417,795 264,261 [ : : 12] 1% Flow_11 41,417,795 264,261 [ : : 12] 1% Flow_11 1,746,882,294 3,158,255 [ : : 12] 0% Flow_12 Jul 15 23:48:33 Phase 1 running (1132 seconds) CPU Time Status Skew Vertex 0.046 [ : 1] 0% Audit.XYX 0.135 [ : 1] 0% Audit.PQR 7.955 [ :12] 0% LMNOP Data Bytes Records Status Flow 712 4 [ : : 1] 0% Audit.Flow1 712 4 [ : : 1] 0% Audit.Flow2 0 0 [ : : 12] 0% Flow_1 0 0 [ : : 12] 0% Flow_10 41,417,795 264,261 [ : : 12] 1% Flow_11 41,417,795 264,261 [ : : 12] 1% Flow_11 1,746,882,294 3,158,255 [ : : 12] 0% Flow_12 consisting of phase (0,1) running,started and ended. i want to calculate max cpu time took by a particular vertex when the phase ended and max data bytes consumed by flow. so i have created regex for the field extraction,the log files that we have is from unix environment. DOS expression for required data set : .* Phase \d ended.\r\n(.\r\n)*-{80}\r\n-{80} Unix expression for required data set : .* Phase \d ended.\n(.\n)*-{80}\n-{80} but this is not working as expected.Splunk does not extract the given pattern as a record. record that we are interested in is described int regex above. the result looks like Jul 15 23:48:33 Phase 0 ended (1132 seconds) CPU Time Status Skew Vertex 0.046 [ : 1] 0% Audit.XYX 0.135 [ : 1] 0% Audit.PQR 7.955 [ :12] 0% LMNOP Data Bytes Records Status Flow 712 4 [ : : 1] 0% Audit.Flow1 712 4 [ : : 1] 0% Audit.Flow2 0 0 [ : : 12] 0% Flow_1 0 0 [ : : 12] 0% Flow_10 41,417,795 264,261 [ : : 12] 1% Flow_11 41,417,795 264,261 [ : : 12] 1% Flow_11 1,746,882,294 3,158,255 [ : : 12] 0% Flow_12 also when we try to extract fields for CPU TIME of ended phases Splunk expression generator randomly picks up some numbers across different phases.. what si the best way to 1)ensure splunk considers only ended phases as distinct records 2)for every ended records extract fields like cpu time,vertex,flow etc > ... View more

hi, when i run a following command it index="New" "Phase * ended" | table phase_0_ended,phase-1-ended,datetime it gives following output phase_0_ended phase_1_ended datetime 1120 secs 1150 secs 12 jan 12:33:42 1148 secs 1130 secs 12 jan 12:36:51 secs now i want to make another column which can add up phase_0_ended and phase_1_ended value of 1 row means(1120+1150) sec to give the result.. ... View more

hi, by running this query in search field index="New" "Phase * ended" | table phaseinformation , phase_ended , datetime | rename datetime as DATE , phaseinformation as Phase_Info , phase_ended as Phase_End_Time | sort Phase_End_Time by desc i got the following output Phase_info Phase_End_Time DATE phase 1 ended 1200 secs jul 16 12:04:44 phase 0 ended 1000 secs jul 16 11:02:48 now i can make chart of this by simply clicking on reports..but i am not able to get clear representation of phase_info on x axis and phase_end_time on y axis.... so need to make a clear graph.. ... View more

hi, in my log files there is a field name cpu time with different time values like 57.682 sec,0.572 sec and among the highest it is 1133.982 secs when i am trying to extract 1133.982,it showing me the message.. No regex could be learned. Try providing different examples or restriction so how can i extract this field ... View more