splunk-sdk-ruby 0.1.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (81) hide show
  1. data/CHANGELOG.md +160 -0
  2. data/Gemfile +8 -0
  3. data/LICENSE +177 -0
  4. data/README.md +310 -0
  5. data/Rakefile +40 -0
  6. data/examples/1_connect.rb +51 -0
  7. data/examples/2_manage.rb +103 -0
  8. data/examples/3_blocking_searches.rb +82 -0
  9. data/examples/4_asynchronous_searches.rb +79 -0
  10. data/examples/5_stream_data_to_splunk.rb +79 -0
  11. data/lib/splunk-sdk-ruby.rb +47 -0
  12. data/lib/splunk-sdk-ruby/ambiguous_entity_reference.rb +28 -0
  13. data/lib/splunk-sdk-ruby/atomfeed.rb +323 -0
  14. data/lib/splunk-sdk-ruby/collection.rb +417 -0
  15. data/lib/splunk-sdk-ruby/collection/apps.rb +35 -0
  16. data/lib/splunk-sdk-ruby/collection/case_insensitive_collection.rb +58 -0
  17. data/lib/splunk-sdk-ruby/collection/configuration_file.rb +50 -0
  18. data/lib/splunk-sdk-ruby/collection/configurations.rb +80 -0
  19. data/lib/splunk-sdk-ruby/collection/jobs.rb +136 -0
  20. data/lib/splunk-sdk-ruby/collection/messages.rb +51 -0
  21. data/lib/splunk-sdk-ruby/context.rb +522 -0
  22. data/lib/splunk-sdk-ruby/entity.rb +260 -0
  23. data/lib/splunk-sdk-ruby/entity/index.rb +191 -0
  24. data/lib/splunk-sdk-ruby/entity/job.rb +339 -0
  25. data/lib/splunk-sdk-ruby/entity/message.rb +36 -0
  26. data/lib/splunk-sdk-ruby/entity/saved_search.rb +71 -0
  27. data/lib/splunk-sdk-ruby/entity/stanza.rb +45 -0
  28. data/lib/splunk-sdk-ruby/entity_not_ready.rb +26 -0
  29. data/lib/splunk-sdk-ruby/illegal_operation.rb +27 -0
  30. data/lib/splunk-sdk-ruby/namespace.rb +239 -0
  31. data/lib/splunk-sdk-ruby/resultsreader.rb +716 -0
  32. data/lib/splunk-sdk-ruby/service.rb +339 -0
  33. data/lib/splunk-sdk-ruby/splunk_http_error.rb +49 -0
  34. data/lib/splunk-sdk-ruby/synonyms.rb +50 -0
  35. data/lib/splunk-sdk-ruby/version.rb +27 -0
  36. data/lib/splunk-sdk-ruby/xml_shim.rb +117 -0
  37. data/splunk-sdk-ruby.gemspec +27 -0
  38. data/test/atom_test_data.rb +472 -0
  39. data/test/data/atom/atom_feed_with_message.xml +19 -0
  40. data/test/data/atom/atom_with_feed.xml +99 -0
  41. data/test/data/atom/atom_with_several_entries.xml +101 -0
  42. data/test/data/atom/atom_with_simple_entries.xml +30 -0
  43. data/test/data/atom/atom_without_feed.xml +248 -0
  44. data/test/data/export/4.2.5/export_results.xml +88 -0
  45. data/test/data/export/4.3.5/export_results.xml +87 -0
  46. data/test/data/export/5.0.1/export_results.xml +78 -0
  47. data/test/data/export/5.0.1/nonreporting.xml +232 -0
  48. data/test/data/results/4.2.5/results-empty.xml +0 -0
  49. data/test/data/results/4.2.5/results-preview.xml +255 -0
  50. data/test/data/results/4.2.5/results.xml +336 -0
  51. data/test/data/results/4.3.5/results-empty.xml +0 -0
  52. data/test/data/results/4.3.5/results-preview.xml +1057 -0
  53. data/test/data/results/4.3.5/results.xml +626 -0
  54. data/test/data/results/5.0.2/results-empty.xml +1 -0
  55. data/test/data/results/5.0.2/results-empty_preview.xml +1 -0
  56. data/test/data/results/5.0.2/results-preview.xml +448 -0
  57. data/test/data/results/5.0.2/results.xml +501 -0
  58. data/test/export_test_data.json +360 -0
  59. data/test/resultsreader_test_data.json +1119 -0
  60. data/test/services.server.info.xml +43 -0
  61. data/test/services.xml +111 -0
  62. data/test/test_atomfeed.rb +71 -0
  63. data/test/test_collection.rb +278 -0
  64. data/test/test_configuration_file.rb +124 -0
  65. data/test/test_context.rb +119 -0
  66. data/test/test_entity.rb +95 -0
  67. data/test/test_helper.rb +250 -0
  68. data/test/test_http_error.rb +52 -0
  69. data/test/test_index.rb +91 -0
  70. data/test/test_jobs.rb +319 -0
  71. data/test/test_messages.rb +17 -0
  72. data/test/test_namespace.rb +188 -0
  73. data/test/test_restarts.rb +49 -0
  74. data/test/test_resultsreader.rb +106 -0
  75. data/test/test_roles.rb +41 -0
  76. data/test/test_saved_searches.rb +119 -0
  77. data/test/test_service.rb +65 -0
  78. data/test/test_users.rb +33 -0
  79. data/test/test_xml_shim.rb +28 -0
  80. data/test/testfile.txt +1 -0
  81. metadata +200 -0
data/test/export_test_data.json ADDED
@@ -0,0 +1,360 @@
1
+ {
2
+ "4.2.5": {
3
+ "with_preview": [
4
+ {
5
+ "is_preview": true,
6
+ "fields": ["method", "count(_raw)"],
7
+ "messages": [
8
+ {
9
+ "type": "DEBUG",
10
+ "value": "base lispy: [ AND index::_internal ]"
11
+ },
12
+ {
13
+ "type": "DEBUG",
14
+ "value": "search context: user=\"admin\", app=\"search\", bs-pathname=\"/Users/fross/splunks/splunk-4.2.5.6/etc\""
15
+ }
16
+ ],
17
+ "results": [
18
+ {
19
+ "method": "GET",
20
+ "count(_raw)": "16"
21
+ },
22
+ {
23
+ "method": "POST",
24
+ "count(_raw)": "3"
25
+ }
26
+ ]
27
+ },
28
+ {
29
+ "is_preview": true,
30
+ "fields": ["method", "count(_raw)"],
31
+ "messages": [
32
+ {
33
+ "type": "DEBUG",
34
+ "value": "base lispy: [ AND index::_internal ]"
35
+ },
36
+ {
37
+ "type": "DEBUG",
38
+ "value": "search context: user=\"admin\", app=\"search\", bs-pathname=\"/Users/fross/splunks/splunk-4.2.5.6/etc\""
39
+ }
40
+ ],
41
+ "results": [
42
+ {
43
+ "method": "GET",
44
+ "count(_raw)": "16"
45
+ },
46
+ {
47
+ "method": "POST",
48
+ "count(_raw)": "7"
49
+ }
50
+ ]
51
+ },
52
+ {
53
+ "is_preview": false,
54
+ "fields": ["method", "count(_raw)"],
55
+ "messages": [
56
+ {
57
+ "type": "DEBUG",
58
+ "value": "base lispy: [ AND index::_internal ]"
59
+ },
60
+ {
61
+ "type": "DEBUG",
62
+ "value": "search context: user=\"admin\", app=\"search\", bs-pathname=\"/Users/fross/splunks/splunk-4.2.5.6/etc\""
63
+ }
64
+ ],
65
+ "results": [
66
+ {
67
+ "method": "GET",
68
+ "count(_raw)": "16"
69
+ },
70
+ {
71
+ "method": "POST",
72
+ "count(_raw)": "7"
73
+ }
74
+ ]
75
+ }
76
+ ],
77
+ "without_preview": {
78
+ "is_preview": false,
79
+ "fields": ["method", "count(_raw)"],
80
+ "messages": [
81
+ {
82
+ "type": "DEBUG",
83
+ "value": "base lispy: [ AND index::_internal ]"
84
+ },
85
+ {
86
+ "type": "DEBUG",
87
+ "value": "search context: user=\"admin\", app=\"search\", bs-pathname=\"/Users/fross/splunks/splunk-4.2.5.6/etc\""
88
+ }
89
+ ],
90
+ "results": [
91
+ {
92
+ "method": "GET",
93
+ "count(_raw)": "16"
94
+ },
95
+ {
96
+ "method": "POST",
97
+ "count(_raw)": "7"
98
+ }
99
+ ]
100
+ }
101
+ },
102
+ "4.3.5": {
103
+ "with_preview": [
104
+ {
105
+ "is_preview": true,
106
+ "fields": ["method", "count(_raw)"],
107
+ "messages": [
108
+ {
109
+ "type": "DEBUG",
110
+ "value": "base lispy: [ AND index::_internal ]"
111
+ },
112
+ {
113
+ "type": "DEBUG",
114
+ "value": "search context: user=\"admin\", app=\"search\", bs-pathname=\"/Users/fross/splunks/splunk-4.3.5/etc\""
115
+ }
116
+ ],
117
+ "results": [
118
+ {
119
+ "method": "GET",
120
+ "count(_raw)": "37"
121
+ },
122
+ {
123
+ "method": "POST",
124
+ "count(_raw)": "5"
125
+ }
126
+ ]
127
+ },
128
+ {
129
+ "is_preview": true,
130
+ "fields": ["method", "count(_raw)"],
131
+ "messages": [
132
+ {
133
+ "type": "DEBUG",
134
+ "value": "base lispy: [ AND index::_internal ]"
135
+ },
136
+ {
137
+ "type": "DEBUG",
138
+ "value": "search context: user=\"admin\", app=\"search\", bs-pathname=\"/Users/fross/splunks/splunk-4.3.5/etc\""
139
+ }
140
+ ],
141
+ "results": [
142
+ {
143
+ "method": "GET",
144
+ "count(_raw)": "41"
145
+ },
146
+ {
147
+ "method": "POST",
148
+ "count(_raw)": "6"
149
+ }
150
+ ]
151
+ },
152
+ {
153
+ "is_preview": false,
154
+ "fields": ["method", "count(_raw)"],
155
+ "messages": [
156
+ {
157
+ "type": "DEBUG",
158
+ "value": "base lispy: [ AND index::_internal ]"
159
+ },
160
+ {
161
+ "type": "DEBUG",
162
+ "value": "search context: user=\"admin\", app=\"search\", bs-pathname=\"/Users/fross/splunks/splunk-4.3.5/etc\""
163
+ }
164
+ ],
165
+ "results": [
166
+ {
167
+ "method": "GET",
168
+ "count(_raw)": "41"
169
+ },
170
+ {
171
+ "method": "POST",
172
+ "count(_raw)": "6"
173
+ }
174
+ ]
175
+ }
176
+ ],
177
+ "without_preview": {
178
+ "is_preview": false,
179
+ "fields": ["method", "count(_raw)"],
180
+ "messages": [
181
+ {
182
+ "type": "DEBUG",
183
+ "value": "base lispy: [ AND index::_internal ]"
184
+ },
185
+ {
186
+ "type": "DEBUG",
187
+ "value": "search context: user=\"admin\", app=\"search\", bs-pathname=\"/Users/fross/splunks/splunk-4.3.5/etc\""
188
+ }
189
+ ],
190
+ "results": [
191
+ {
192
+ "method": "GET",
193
+ "count(_raw)": "41"
194
+ },
195
+ {
196
+ "method": "POST",
197
+ "count(_raw)": "6"
198
+ }
199
+ ]
200
+ }
201
+ },
202
+ "5.0.1": {
203
+ "nonreporting": [
204
+ {
205
+ "is_preview": false,
206
+ "fields": ["_bkt", "_cd", "_indextime", "_raw", "_serial", "_si",
207
+ "_sourcetype", "_subsecond", "_time", "host", "index",
208
+ "linecount", "source", "sourcetype", "splunk_server"],
209
+ "results": [
210
+ {
211
+ "_bkt": "_internal~1~BC03CEFB-A9C5-4DF5-9D8D-2558AD6E6EA9",
212
+ "_cd": "1:4419005",
213
+ "_indextime": "1360608181",
214
+ "_raw": "02-11-2013 10:43:01.060 -0800 INFO Metrics - group=tpool, name=indexertpool, qsize=0, workers=6, qwork_units=0",
215
+ "_serial": "0",
216
+ "_si": ["fross-mbp15.local", "_internal"],
217
+ "_sourcetype": "splunkd",
218
+ "_subsecond": ".060",
219
+ "_time": "2013-02-11 10:43:01.060 PST",
220
+ "host": "fross-mbp15.local",
221
+ "index": "_internal",
222
+ "linecount": "1",
223
+ "source": "/Users/fross/splunks/splunk-5.0.2/var/log/splunk/metrics.log",
224
+ "sourcetype": "splunkd",
225
+ "splunk_server": "fross-mbp15.local"
226
+ },
227
+ {
228
+ "_bkt": "_internal~1~BC03CEFB-A9C5-4DF5-9D8D-2558AD6E6EA9",
229
+ "_cd": "1:4418999",
230
+ "_indextime": "1360608181",
231
+ "_raw": "02-11-2013 10:43:01.060 -0800 INFO Metrics - group=tpool, name=bundlereplthreadpool, qsize=0, workers=0, qwork_units=0",
232
+ "_serial": "1",
233
+ "_si": ["fross-mbp15.local", "_internal"],
234
+ "_sourcetype": "splunkd",
235
+ "_subsecond": ".060",
236
+ "_time": "2013-02-11 10:43:01.060 PST",
237
+ "host": "fross-mbp15.local",
238
+ "index": "_internal",
239
+ "linecount": "1",
240
+ "source": "/Users/fross/splunks/splunk-5.0.2/var/log/splunk/metrics.log",
241
+ "sourcetype": "splunkd",
242
+ "splunk_server": "fross-mbp15.local"
243
+ },
244
+ {
245
+ "_bkt": "_internal~1~BC03CEFB-A9C5-4DF5-9D8D-2558AD6E6EA9",
246
+ "_cd": "1:4418632",
247
+ "_indextime": "1360608170",
248
+ "_raw": "127.0.0.1 - admin [11/Feb/2013:10:42:49.790 -0800] \"POST /services/search/jobs/export HTTP/1.1\" 200 440404 - - - 257ms",
249
+ "_serial": "51",
250
+ "_si": ["fross-mbp15.local", "_internal"],
251
+ "_sourcetype": "splunkd_access",
252
+ "_subsecond": ".790",
253
+ "_time": "2013-02-11 10:42:49.790 PST",
254
+ "host": "fross-mbp15.local",
255
+ "index": "_internal",
256
+ "linecount": "1",
257
+ "source": "/Users/fross/splunks/splunk-5.0.2/var/log/splunk/splunkd_access.log",
258
+ "sourcetype": "splunkd_access",
259
+ "splunk_server": "fross-mbp15.local"
260
+ },
261
+ {
262
+ "_bkt": "_internal~1~BC03CEFB-A9C5-4DF5-9D8D-2558AD6E6EA9",
263
+ "_cd": "1:4418626",
264
+ "_indextime": "1360608157",
265
+ "_raw": "127.0.0.1 - admin [11/Feb/2013:10:42:36.527 -0800] \"POST /services/search/jobs/export HTTP/1.1\" 200 4937 - - - 219ms",
266
+ "_serial": "52",
267
+ "_si": ["fross-mbp15.local", "_internal"],
268
+ "_sourcetype": "splunkd_access",
269
+ "_subsecond": ".527",
270
+ "_time": "2013-02-11 10:42:36.527 PST",
271
+ "host": "fross-mbp15.local",
272
+ "index": "_internal",
273
+ "linecount": "1",
274
+ "source": "/Users/fross/splunks/splunk-5.0.2/var/log/splunk/splunkd_access.log",
275
+ "sourcetype": "splunkd_access",
276
+ "splunk_server": "fross-mbp15.local"
277
+ }
278
+ ]
279
+ }
280
+ ],
281
+ "with_preview": [
282
+ {
283
+ "is_preview": true,
284
+ "fields": ["method", "count(_raw)"],
285
+ "results": [
286
+ {
287
+ "method": "GET",
288
+ "count(_raw)": "3544"
289
+ },
290
+ {
291
+ "method": "POST",
292
+ "count(_raw)": "437"
293
+ }
294
+ ]
295
+ },
296
+ {
297
+ "is_preview": true,
298
+ "fields": ["method", "count(_raw)"],
299
+ "results": [
300
+ {
301
+ "method": "GET",
302
+ "count(_raw)": "3544"
303
+ },
304
+ {
305
+ "method": "POST",
306
+ "count(_raw)": "437"
307
+ }
308
+ ]
309
+ },
310
+ {
311
+ "is_preview": false,
312
+ "fields": ["method", "count(_raw)"],
313
+ "messages": [
314
+ {
315
+ "type": "DEBUG",
316
+ "value": "base lispy: [ AND index::_internal ]"
317
+ },
318
+ {
319
+ "type": "DEBUG",
320
+ "value": "search context: user=\"admin\", app=\"search\", bs-pathname=\"/Users/fross/splunks/splunk-5.0.2/etc\""
321
+ }
322
+ ],
323
+ "results": [
324
+ {
325
+ "method": "GET",
326
+ "count(_raw)": "3544"
327
+ },
328
+ {
329
+ "method": "POST",
330
+ "count(_raw)": "437"
331
+ }
332
+ ]
333
+ }
334
+ ],
335
+ "without_preview": {
336
+ "is_preview": false,
337
+ "fields": ["method", "count(_raw)"],
338
+ "messages": [
339
+ {
340
+ "type": "DEBUG",
341
+ "value": "base lispy: [ AND index::_internal ]"
342
+ },
343
+ {
344
+ "type": "DEBUG",
345
+ "value": "search context: user=\"admin\", app=\"search\", bs-pathname=\"/Users/fross/splunks/splunk-5.0.2/etc\""
346
+ }
347
+ ],
348
+ "results": [
349
+ {
350
+ "method": "GET",
351
+ "count(_raw)": "3544"
352
+ },
353
+ {
354
+ "method": "POST",
355
+ "count(_raw)": "437"
356
+ }
357
+ ]
358
+ }
359
+ }
360
+ }
data/test/resultsreader_test_data.json ADDED
@@ -0,0 +1,1119 @@
1
+ {
2
+ "5.0.2": {
3
+ "results": {
4
+ "is_preview": false,
5
+ "fields": ["_bkt", "_cd", "_indextime", "_kv", "_raw", "_serial",
6
+ "_si", "_sourcetype", "_subsecond", "_time",
7
+ "abandoned_channels", "active_hist_searches",
8
+ "active_realtime_searches", "average_kbps", "avg_age",
9
+ "bytes", "chillOrFreeze", "clientip", "component",
10
+ "cookie", "current_size", "current_size_kb", "date_hour",
11
+ "date_mday", "date_minute", "date_month", "date_second",
12
+ "date_wday", "date_year", "date_zone", "drop_count",
13
+ "eps", "ev", "eventtype", "file", "flushBlockSig",
14
+ "fork_recovermetadata", "group", "host", "ident",
15
+ "inactive_channels", "index", "instantaneous_eps",
16
+ "instantaneous_kbps", "kb", "kbps", "largest_size",
17
+ "linecount", "load_average", "log_level", "max_age",
18
+ "max_size_kb", "message", "method", "name",
19
+ "namespace", "new_channels", "numMsgs", "other",
20
+ "punct", "qsize", "qwork_units", "rebuild_metadata",
21
+ "reclaimed_channels", "referer", "referer_domain",
22
+ "removed_channels", "replicate_semislice",
23
+ "req_time", "retryMove_1hotBkt", "roll_hotBkt",
24
+ "root", "series", "service_externProc",
25
+ "service_maxSizes", "service_volumes", "sid",
26
+ "size_hotBkt", "smallest_size", "source",
27
+ "sourcetype", "spent", "splunk_server", "status",
28
+ "sync_hotBkt", "task", "throttle_optimize",
29
+ "timedout_channels", "timeendpos", "timestartpos",
30
+ "total_k_processed", "update_bktManifest",
31
+ "update_checksums", "uri", "uri_domain", "uri_path",
32
+ "uri_query", "user", "useragent", "version",
33
+ "workers"],
34
+ "results": [
35
+ {
36
+ "_bkt": "_internal~21~D8F318D9-5D7F-43B5-911F-9821FBAEEA9B",
37
+ "_cd": "21:59296",
38
+ "_indextime": "1355946377",
39
+ "_kv": "1",
40
+ "_raw": "127.0.0.1 - admin [19/Dec/2012:11:46:15.549 -0800] \"GET /services/messages HTTP/1.1\" 200 1984 - - - 1ms",
41
+ "_serial": "0",
42
+ "_si": ["fross-mbp15.local", "_internal"],
43
+ "_sourcetype": "splunkd_access",
44
+ "_subsecond": ".549",
45
+ "_time": "2012-12-19T11:46:15.549-08:00",
46
+ "bytes": "1984",
47
+ "clientip": "127.0.0.1",
48
+ "date_hour": "11",
49
+ "date_mday": "19",
50
+ "date_minute": "46",
51
+ "date_month": "december",
52
+ "date_second": "15",
53
+ "date_wday": "wednesday",
54
+ "date_year": "2012",
55
+ "date_zone": "-480",
56
+ "eventtype": "splunkd-access",
57
+ "file": "messages",
58
+ "host": "fross-mbp15.local",
59
+ "ident": "-",
60
+ "index": "_internal",
61
+ "linecount": "1",
62
+ "method": "GET",
63
+ "other": "- - - 1ms",
64
+ "punct": "..._-__[//:::._-]_\"_//_/.\"___-_-_-_",
65
+ "req_time": "19/Dec/2012:11:46:15.549 -0800",
66
+ "root": "services",
67
+ "source": "/Users/fross/splunks/splunk-5.0.2/var/log/splunk/splunkd_access.log",
68
+ "sourcetype": "splunkd_access",
69
+ "spent": "1",
70
+ "splunk_server": "fross-mbp15.local",
71
+ "status": "200",
72
+ "timeendpos": "49",
73
+ "timestartpos": "19",
74
+ "uri": "/services/messages",
75
+ "uri_path": "/services/messages",
76
+ "user": "admin",
77
+ "version": "HTTP/1.1"
78
+ },
79
+ {
80
+ "_bkt": "_internal~21~D8F318D9-5D7F-43B5-911F-9821FBAEEA9B",
81
+ "_cd": "21:59301",
82
+ "_indextime": "1355946377",
83
+ "_kv": "1",
84
+ "_raw": "127.0.0.1 - admin [19/Dec/2012:11:46:15.544 -0800] \"GET /en-US/api/messages/index HTTP/1.1\" 200 341 \"http://localhost:8000/en-US/search/inspector?sid=1355946305.42&namespace=search\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:17.0) Gecko/20100101 Firefox/17.0\" - 50d219878b6ae2790 7ms",
85
+ "_serial": "1",
86
+ "_si": ["fross-mbp15.local", "_internal"],
87
+ "_sourcetype": "splunk_web_access",
88
+ "_subsecond": ".544",
89
+ "_time": "2012-12-19T11:46:15.544-08:00",
90
+ "bytes": "341",
91
+ "clientip": "127.0.0.1",
92
+ "date_hour": "11",
93
+ "date_mday": "19",
94
+ "date_minute": "46",
95
+ "date_month": "december",
96
+ "date_second": "15",
97
+ "date_wday": "wednesday",
98
+ "date_year": "2012",
99
+ "date_zone": "-480",
100
+ "file": "index",
101
+ "host": "fross-mbp15.local",
102
+ "ident": "-",
103
+ "index": "_internal",
104
+ "linecount": "1",
105
+ "method": "GET",
106
+ "namespace": "search",
107
+ "other": "- 50d219878b6ae2790 7ms",
108
+ "punct": "..._-__[//:::._-]_\"_/-///_/.\"___\"://:/-//?=.&=\"_\"/",
109
+ "referer": "http://localhost:8000/en-US/search/inspector?sid=1355946305.42&namespace=search",
110
+ "referer_domain": "http://localhost:8000",
111
+ "req_time": "19/Dec/2012:11:46:15.544 -0800",
112
+ "root": "en-US",
113
+ "sid": "1355946305.42",
114
+ "source": "/Users/fross/splunks/splunk-5.0.2/var/log/splunk/web_access.log",
115
+ "sourcetype": "splunk_web_access",
116
+ "spent": "7",
117
+ "splunk_server": "fross-mbp15.local",
118
+ "status": "200",
119
+ "timeendpos": "49",
120
+ "timestartpos": "19",
121
+ "uri": "/en-US/api/messages/index",
122
+ "uri_path": "/en-US/api/messages/index",
123
+ "user": "admin",
124
+ "useragent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:17.0) Gecko/20100101 Firefox/17.0",
125
+ "version": "HTTP/1.1"
126
+ },
127
+ {
128
+ "_bkt": "_internal~21~D8F318D9-5D7F-43B5-911F-9821FBAEEA9B",
129
+ "_cd": "21:59281",
130
+ "_indextime": "1355946374",
131
+ "_kv": "1",
132
+ "_raw": "127.0.0.1 - admin [19/Dec/2012:11:46:14.260 -0800] \"GET /services/messages HTTP/1.1\" 200 1984 - - - 1ms",
133
+ "_serial": "2",
134
+ "_si": ["fross-mbp15.local", "_internal"],
135
+ "_sourcetype": "splunkd_access",
136
+ "_subsecond": ".260",
137
+ "_time": "2012-12-19T11:46:14.260-08:00",
138
+ "bytes": "1984",
139
+ "clientip": "127.0.0.1",
140
+ "date_hour": "11",
141
+ "date_mday": "19",
142
+ "date_minute": "46",
143
+ "date_month": "december",
144
+ "date_second": "14",
145
+ "date_wday": "wednesday",
146
+ "date_year": "2012",
147
+ "date_zone": "-480",
148
+ "eventtype": "splunkd-access",
149
+ "file": "messages",
150
+ "host": "fross-mbp15.local",
151
+ "ident": "-",
152
+ "index": "_internal",
153
+ "linecount": "1",
154
+ "method": "GET",
155
+ "other": "- - - 1ms",
156
+ "punct": "..._-__[//:::._-]_\"_//_/.\"___-_-_-_",
157
+ "req_time": "19/Dec/2012:11:46:14.260 -0800",
158
+ "root": "services",
159
+ "source": "/Users/fross/splunks/splunk-5.0.2/var/log/splunk/splunkd_access.log",
160
+ "sourcetype": "splunkd_access",
161
+ "spent": "1",
162
+ "splunk_server": "fross-mbp15.local",
163
+ "status": "200",
164
+ "timeendpos": "49",
165
+ "timestartpos": "19",
166
+ "uri": "/services/messages",
167
+ "uri_path": "/services/messages",
168
+ "user": "admin",
169
+ "version": "HTTP/1.1"
170
+ }
171
+ ]
172
+ },
173
+ "results-preview": {
174
+ "is_preview": true,
175
+ "fields": ["_bkt", "_cd", "_confstr", "_indextime", "_kv", "_raw",
176
+ "_serial", "_si", "_sourcetype", "_subsecond", "_time",
177
+ "abandoned_channels", "active_hist_searches",
178
+ "active_realtime_searches", "app", "appCodeName",
179
+ "appName", "appVersion", "average_kbps", "avg_age",
180
+ "browser", "bytes", "chillOrFreeze", "class",
181
+ "client_app", "clientip", "component", "count",
182
+ "current_size", "current_size_kb", "date_hour",
183
+ "date_mday", "date_minute", "date_month", "date_second",
184
+ "date_wday", "date_year", "date_zone", "delimiter",
185
+ "digest", "dispatched", "display_row_numbers",
186
+ "drop_count", "earliest", "enable_event_actions",
187
+ "enable_field_actions", "entity_name", "eps", "ev",
188
+ "eventtype", "field_list", "fields", "file",
189
+ "fillcontents", "flushBlockSig", "fork_recovermetadata",
190
+ "group", "host", "ident", "inactive_channels", "index",
191
+ "instantaneous_eps", "instantaneous_kbps", "jobStatus",
192
+ "kb", "kbps", "largest_size", "latest", "line",
193
+ "linecount", "load_average", "log_level", "max_age",
194
+ "max_lines", "max_lines_constraint", "max_size_kb",
195
+ "message", "message_level", "method", "min_freq",
196
+ "min_lines", "name", "namespace", "new_channels",
197
+ "numMsgs", "offset", "other", "output_mode",
198
+ "output_time_format", "platform", "punct", "q",
199
+ "qsize", "qwork_units", "rebuild_metadata",
200
+ "reclaimed_channels", "referer", "referer_domain",
201
+ "refresh", "removed_channels", "replicate_semislice",
202
+ "req_time", "requestid", "retryMove_1hotBkt",
203
+ "reverse_order", "roll_hotBkt", "root", "s", "search",
204
+ "segmentation", "series", "service_externProc",
205
+ "service_maxSizes", "service_volumes",
206
+ "show_empty_fields", "sid", "size_hotBkt",
207
+ "skipped", "smallest_size", "sortDir", "sortKey",
208
+ "sort_dir", "sort_key", "source", "sourcetype", "spent",
209
+ "splunk_server", "staticFields", "status", "sync_hotBkt",
210
+ "task", "templateTime", "throttle_optimize",
211
+ "time_format", "timedout_channels", "timeendpos",
212
+ "timestamp", "timestartpos", "total_k_processed",
213
+ "truncation_mode", "update_bktManifest",
214
+ "update_checksums", "uri", "uri_path", "uri_query",
215
+ "user", "userAgent", "useragent", "version", "viewTime",
216
+ "wait", "with_new", "workers"],
217
+ "results": [
218
+ {
219
+ "_bkt": "_internal~20~D8F318D9-5D7F-43B5-911F-9821FBAEEA9B",
220
+ "_cd": "20:6362329",
221
+ "_indextime": "1355942859",
222
+ "_kv": "1",
223
+ "_raw": "12-19-2012 10:47:39.098 -0800 INFO Metrics - group=mpool, max_used_interval=11760, max_used=106926, avg_rsv=256, capacity=536870912, used=0, rep_used=0",
224
+ "_serial": "20446",
225
+ "_si": ["fross-mbp15.local", "_internal"],
226
+ "_sourcetype": "splunkd",
227
+ "_subsecond": ".098",
228
+ "_time": "2012-12-19T10:47:39.098-08:00",
229
+ "component": "Metrics",
230
+ "date_hour": "10",
231
+ "date_mday": "19",
232
+ "date_minute": "47",
233
+ "date_month": "december",
234
+ "date_second": "39",
235
+ "date_wday": "wednesday",
236
+ "date_year": "2012",
237
+ "date_zone": "-480",
238
+ "group": "mpool",
239
+ "host": "fross-mbp15.local",
240
+ "index": "_internal",
241
+ "linecount": "1",
242
+ "log_level": "INFO",
243
+ "message": "group=mpool, max_used_interval=11760, max_used=106926, avg_rsv=256, capacity=536870912, used=0, rep_used=0",
244
+ "punct": "--_::._-____-_=,_=,_=,_=,_=,_=,_=",
245
+ "source": "/Users/fross/splunks/splunk-5.0.2/var/log/splunk/metrics.log",
246
+ "sourcetype": "splunkd",
247
+ "splunk_server": "fross-mbp15.local",
248
+ "timeendpos": "29",
249
+ "timestartpos": "0"
250
+ },
251
+ {
252
+ "_bkt": "_internal~20~D8F318D9-5D7F-43B5-911F-9821FBAEEA9B",
253
+ "_cd": "20:6362402",
254
+ "_indextime": "1355942859",
255
+ "_kv": "1",
256
+ "_raw": "12-19-2012 10:47:39.099 -0800 INFO Metrics - group=pipeline, name=merging, processor=sendout, cpu_seconds=0.000000, executes=48, cumulative_hits=927340",
257
+ "_serial": "20436",
258
+ "_si": ["fross-mbp15.local", "_internal"],
259
+ "_sourcetype": "splunkd",
260
+ "_subsecond": ".099",
261
+ "_time": "2012-12-19T10:47:39.099-08:00",
262
+ "component": "Metrics",
263
+ "date_hour": "10",
264
+ "date_mday": "19",
265
+ "date_minute": "47",
266
+ "date_month": "december",
267
+ "date_second": "39",
268
+ "date_wday": "wednesday",
269
+ "date_year": "2012",
270
+ "date_zone": "-480",
271
+ "group": "pipeline",
272
+ "host": "fross-mbp15.local",
273
+ "index": "_internal",
274
+ "linecount": "1",
275
+ "log_level": "INFO",
276
+ "message": "group=pipeline, name=merging, processor=sendout, cpu_seconds=0.000000, executes=48, cumulative_hits=927340",
277
+ "name": "merging",
278
+ "punct": "--_::._-____-_=,_=,_=,_=.,_=,_=",
279
+ "source": "/Users/fross/splunks/splunk-5.0.2/var/log/splunk/metrics.log",
280
+ "sourcetype": "splunkd",
281
+ "splunk_server": "fross-mbp15.local",
282
+ "timeendpos": "29",
283
+ "timestartpos": "0"
284
+ },
285
+ {
286
+ "_bkt": "_internal~20~D8F318D9-5D7F-43B5-911F-9821FBAEEA9B",
287
+ "_cd": "20:6362395",
288
+ "_indextime": "1355942859",
289
+ "_kv": "1",
290
+ "_raw": "12-19-2012 10:47:39.099 -0800 INFO Metrics - group=pipeline, name=merging, processor=readerin, cpu_seconds=0.000000, executes=48, cumulative_hits=927707",
291
+ "_serial": "20437",
292
+ "_si": ["fross-mbp15.local", "_internal"],
293
+ "_sourcetype": "splunkd",
294
+ "_subsecond": ".099",
295
+ "_time": "2012-12-19T10:47:39.099-08:00",
296
+ "component": "Metrics",
297
+ "date_hour": "10",
298
+ "date_mday": "19",
299
+ "date_minute": "47",
300
+ "date_month": "december",
301
+ "date_second": "39",
302
+ "date_wday": "wednesday",
303
+ "date_year": "2012",
304
+ "date_zone": "-480",
305
+ "group": "pipeline",
306
+ "host": "fross-mbp15.local",
307
+ "index": "_internal",
308
+ "linecount": "1",
309
+ "log_level": "INFO",
310
+ "message": "group=pipeline, name=merging, processor=readerin, cpu_seconds=0.000000, executes=48, cumulative_hits=927707",
311
+ "name": "merging",
312
+ "punct": "--_::._-____-_=,_=,_=,_=.,_=,_=",
313
+ "source": "/Users/fross/splunks/splunk-5.0.2/var/log/splunk/metrics.log",
314
+ "sourcetype": "splunkd",
315
+ "splunk_server": "fross-mbp15.local",
316
+ "timeendpos": "29",
317
+ "timestartpos": "0"
318
+ }
319
+ ]
320
+ },
321
+ "results-empty_preview": {
322
+ "is_preview": true,
323
+ "fields": [],
324
+ "results": []
325
+ },
326
+ "results-empty": {
327
+ "is_preview": false,
328
+ "fields": [],
329
+ "results": []
330
+ }
331
+ },
332
+ "4.3.5": {
333
+ "results": {
334
+ "is_preview": false,
335
+ "fields": ["_cd", "_indextime", "_kv", "_raw", "_serial", "_si",
336
+ "_sourcetype", "_subsecond", "_time", "bytes",
337
+ "client_app", "clientip", "cookie", "count", "date_hour",
338
+ "date_mday", "date_minute", "date_month", "date_second",
339
+ "date_wday", "date_year", "date_zone",
340
+ "display_row_numbers", "earliest",
341
+ "enable_event_actions", "enable_field_actions",
342
+ "entity_name", "eventtype", "field_list", "file",
343
+ "fillcontents", "host", "ident", "index", "latest",
344
+ "linecount", "max_lines", "max_lines_constraint",
345
+ "method", "min_freq", "min_lines", "offset", "other",
346
+ "output_mode", "output_time_format", "punct", "q",
347
+ "referer", "referer_domain", "req_time", "reverse_order",
348
+ "root", "s", "segmentation", "show_empty_fields", "sid",
349
+ "source", "sourcetype", "spent", "splunk_server",
350
+ "status", "time_format", "timeendpos", "timestartpos",
351
+ "truncation_mode", "uri", "uri_domain", "uri_path",
352
+ "uri_query", "user", "useragent", "version"],
353
+ "results": [
354
+ {
355
+ "_cd": "54:23786",
356
+ "_indextime": "1355946940",
357
+ "_kv": "1",
358
+ "_raw": "127.0.0.1 - admin [19/Dec/2012:11:55:39.296 -0800] \"POST /en-US/api/shelper HTTP/1.1\" 200 1398 \"http://localhost:8000/en-US/app/<sg h=\"1\">search</sg>/flashtimeline?q=<sg h=\"1\">search</sg>%20<sg h=\"1\">search</sg>%20index%3D_internal%20%7C%20head%2010&earliest=rt-1h&latest=rt\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:17.0) Gecko/20100101 Firefox/17.0\" - 50d21bbb4b5224c10 3ms",
359
+ "_serial": "0",
360
+ "_si": ["fross-mbp15.local", "_internal"],
361
+ "_sourcetype": "splunk_web_access",
362
+ "_subsecond": ".296",
363
+ "_time": "2012-12-19T11:55:39.296-08:00",
364
+ "bytes": "1398",
365
+ "clientip": "127.0.0.1",
366
+ "date_hour": "11",
367
+ "date_mday": "19",
368
+ "date_minute": "55",
369
+ "date_month": "december",
370
+ "date_second": "39",
371
+ "date_wday": "wednesday",
372
+ "date_year": "2012",
373
+ "date_zone": "-480",
374
+ "earliest": "rt-1h",
375
+ "file": "shelper",
376
+ "host": "fross-mbp15.local",
377
+ "ident": "-",
378
+ "index": "_internal",
379
+ "latest": "rt",
380
+ "linecount": "1",
381
+ "method": "POST",
382
+ "other": "- 50d21bbb4b5224c10 3ms",
383
+ "punct": "..._-__[//:::._-]_\"_/-//_/.\"___\"://:/-///?=%%%%%%%",
384
+ "q": "search%20search%20index%3D_internal%20%7C%20head%2010",
385
+ "referer": "http://localhost:8000/en-US/app/search/flashtimeline?q=search%20search%20index%3D_internal%20%7C%20head%2010&earliest=rt-1h&latest=rt",
386
+ "referer_domain": "http://localhost:8000",
387
+ "req_time": "19/Dec/2012:11:55:39.296 -0800",
388
+ "root": "en-US",
389
+ "source": "/Users/fross/splunks/splunk-4.3.5/var/log/splunk/web_access.log",
390
+ "sourcetype": "splunk_web_access",
391
+ "spent": "3",
392
+ "splunk_server": "fross-mbp15.local",
393
+ "status": "200",
394
+ "timeendpos": "49",
395
+ "timestartpos": "19",
396
+ "uri": "/en-US/api/shelper",
397
+ "uri_path": "/en-US/api/shelper",
398
+ "user": "admin",
399
+ "useragent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:17.0) Gecko/20100101 Firefox/17.0",
400
+ "version": "HTTP/1.1"
401
+ },
402
+ {
403
+ "_cd": "54:23689",
404
+ "_indextime": "1355946940",
405
+ "_kv": "1",
406
+ "_raw": "127.0.0.1 - admin [19/Dec/2012:11:55:39.265 -0800] \"GET /services/<sg h=\"1\">search</sg>/jobs/rt_1355946914.13 HTTP/1.1\" 200 10957 - - - 4ms",
407
+ "_serial": "1",
408
+ "_si": ["fross-mbp15.local", "_internal"],
409
+ "_sourcetype": "splunkd_access",
410
+ "_subsecond": ".265",
411
+ "_time": "2012-12-19T11:55:39.265-08:00",
412
+ "bytes": "10957",
413
+ "clientip": "127.0.0.1",
414
+ "date_hour": "11",
415
+ "date_mday": "19",
416
+ "date_minute": "55",
417
+ "date_month": "december",
418
+ "date_second": "39",
419
+ "date_wday": "wednesday",
420
+ "date_year": "2012",
421
+ "date_zone": "-480",
422
+ "eventtype": "splunkd-access",
423
+ "file": "rt_1355946914.13",
424
+ "host": "fross-mbp15.local",
425
+ "ident": "-",
426
+ "index": "_internal",
427
+ "linecount": "1",
428
+ "method": "GET",
429
+ "other": "- - - 4ms",
430
+ "punct": "..._-__[//:::._-]_\"_////._/.\"___-_-_-_",
431
+ "req_time": "19/Dec/2012:11:55:39.265 -0800",
432
+ "root": "services",
433
+ "source": "/Users/fross/splunks/splunk-4.3.5/var/log/splunk/splunkd_access.log",
434
+ "sourcetype": "splunkd_access",
435
+ "spent": "4",
436
+ "splunk_server": "fross-mbp15.local",
437
+ "status": "200",
438
+ "timeendpos": "49",
439
+ "timestartpos": "19",
440
+ "uri": "/services/search/jobs/rt_1355946914.13",
441
+ "uri_path": "/services/search/jobs/rt_1355946914.13",
442
+ "user": "admin",
443
+ "version": "HTTP/1.1"
444
+ },
445
+ {
446
+ "_cd": "54:23682",
447
+ "_indextime": "1355946940",
448
+ "_kv": "1",
449
+ "_raw": "127.0.0.1 - admin [19/Dec/2012:11:55:39.258 -0800] \"GET /servicesNS/admin/<sg h=\"1\">search</sg>/properties/event_renderers?fillcontents=1 HTTP/1.1\" 200 3657 - - - 1ms",
450
+ "_serial": "2",
451
+ "_si": ["fross-mbp15.local", "_internal"],
452
+ "_sourcetype": "splunkd_access",
453
+ "_subsecond": ".258",
454
+ "_time": "2012-12-19T11:55:39.258-08:00",
455
+ "bytes": "3657",
456
+ "clientip": "127.0.0.1",
457
+ "date_hour": "11",
458
+ "date_mday": "19",
459
+ "date_minute": "55",
460
+ "date_month": "december",
461
+ "date_second": "39",
462
+ "date_wday": "wednesday",
463
+ "date_year": "2012",
464
+ "date_zone": "-480",
465
+ "eventtype": "splunkd-access",
466
+ "file": "event_renderers",
467
+ "fillcontents": "1",
468
+ "host": "fross-mbp15.local",
469
+ "ident": "-",
470
+ "index": "_internal",
471
+ "linecount": "1",
472
+ "method": "GET",
473
+ "other": "- - - 1ms",
474
+ "punct": "..._-__[//:::._-]_\"_/////?=_/.\"___-_-_-_",
475
+ "req_time": "19/Dec/2012:11:55:39.258 -0800",
476
+ "root": "servicesNS",
477
+ "source": "/Users/fross/splunks/splunk-4.3.5/var/log/splunk/splunkd_access.log",
478
+ "sourcetype": "splunkd_access",
479
+ "spent": "1",
480
+ "splunk_server": "fross-mbp15.local",
481
+ "status": "200",
482
+ "timeendpos": "49",
483
+ "timestartpos": "19",
484
+ "uri": "/servicesNS/admin/search/properties/event_renderers?fillcontents=1",
485
+ "uri_path": "/servicesNS/admin/search/properties/event_renderers",
486
+ "uri_query": "fillcontents=1",
487
+ "user": "admin",
488
+ "version": "HTTP/1.1"
489
+ },
490
+ {
491
+ "_cd": "54:23670",
492
+ "_indextime": "1355946940",
493
+ "_kv": "1",
494
+ "_raw": "127.0.0.1 - admin [19/Dec/2012:11:55:39.231 -0800] \"GET /services/<sg h=\"1\">search</sg>/jobs/rt_1355946914.13/events?count=0&segmentation=full&output_mode=xml&time_format=%25s.%25Q&max_lines=10&show_empty_fields=True&offset=-10&output_time_format=%25Y-%25m-%25dT%25H%3A%25M%3A%25S.%25Q%25z&field_list=&truncation_mode=abstract HTTP/1.1\" 200 32837 - - - 6ms",
495
+ "_serial": "3",
496
+ "_si": ["fross-mbp15.local", "_internal"],
497
+ "_sourcetype": "splunkd_access",
498
+ "_subsecond": ".231",
499
+ "_time": "2012-12-19T11:55:39.231-08:00",
500
+ "bytes": "32837",
501
+ "clientip": "127.0.0.1",
502
+ "count": "0",
503
+ "date_hour": "11",
504
+ "date_mday": "19",
505
+ "date_minute": "55",
506
+ "date_month": "december",
507
+ "date_second": "39",
508
+ "date_wday": "wednesday",
509
+ "date_year": "2012",
510
+ "date_zone": "-480",
511
+ "eventtype": "splunkd-access",
512
+ "file": "events",
513
+ "host": "fross-mbp15.local",
514
+ "ident": "-",
515
+ "index": "_internal",
516
+ "linecount": "1",
517
+ "max_lines": "10",
518
+ "method": "GET",
519
+ "offset": "-10",
520
+ "other": "- - - 6ms",
521
+ "output_mode": "xml",
522
+ "output_time_format": "%25Y-%25m-%25dT%25H%3A%25M%3A%25S.%25Q%25z",
523
+ "punct": "..._-__[//:::._-]_\"_////./?=&=&=&=%.%&=&=&=-&=%-%-",
524
+ "req_time": "19/Dec/2012:11:55:39.231 -0800",
525
+ "root": "services",
526
+ "segmentation": "full",
527
+ "show_empty_fields": "True",
528
+ "source": "/Users/fross/splunks/splunk-4.3.5/var/log/splunk/splunkd_access.log",
529
+ "sourcetype": "splunkd_access",
530
+ "spent": "6",
531
+ "splunk_server": "fross-mbp15.local",
532
+ "status": "200",
533
+ "time_format": "%25s.%25Q",
534
+ "timeendpos": "49",
535
+ "timestartpos": "19",
536
+ "truncation_mode": "abstract",
537
+ "uri": "/services/search/jobs/rt_1355946914.13/events?count=0&segmentation=full&output_mode=xml&time_format=%25s.%25Q&max_lines=10&show_empty_fields=True&offset=-10&output_time_format=%25Y-%25m-%25dT%25H%3A%25M%3A%25S.%25Q%25z&field_list=&truncation_mode=abstract",
538
+ "uri_path": "/services/search/jobs/rt_1355946914.13/events",
539
+ "uri_query": "count=0&segmentation=full&output_mode=xml&time_format=%25s.%25Q&max_lines=10&show_empty_fields=True&offset=-10&output_time_format=%25Y-%25m-%25dT%25H%3A%25M%3A%25S.%25Q%25z&field_list=&truncation_mode=abstract",
540
+ "user": "admin",
541
+ "version": "HTTP/1.1"
542
+ }
543
+ ]
544
+ },
545
+ "results-preview": {
546
+ "is_preview": true,
547
+ "fields": ["_cd", "_indextime", "_kv", "_raw", "_serial", "_si",
548
+ "_sourcetype", "_subsecond", "_time",
549
+ "active_hist_searches", "active_realtime_searches",
550
+ "app", "appCodeName", "appName", "browser", "bytes",
551
+ "class", "client_app", "clientip", "component", "count",
552
+ "date_hour", "date_mday", "date_minute", "date_month",
553
+ "date_second", "date_wday", "date_year", "date_zone",
554
+ "delimiter", "display_row_numbers", "drop_count",
555
+ "earliest", "enable_event_actions",
556
+ "enable_field_actions", "entity_name", "eventtype",
557
+ "field_list", "fields", "file", "fillcontents", "group",
558
+ "host", "ident", "index", "jobStatus", "latest", "line",
559
+ "linecount", "log_level", "max_lines",
560
+ "max_lines_constraint", "max_time",
561
+ "mean_preview_period", "message", "message_level",
562
+ "method", "min_freq", "min_lines", "name", "namespace",
563
+ "offset", "other", "output_mode", "output_time_format",
564
+ "platform", "prefix", "punct", "q", "referer",
565
+ "referer_domain", "req_time", "requestid",
566
+ "reverse_order", "root", "s", "search", "segmentation",
567
+ "show_empty_fields", "sid", "sortDir", "sortKey",
568
+ "sort_dir", "sort_key", "source", "sourcetype", "spent",
569
+ "splunk_server", "staticFields", "status",
570
+ "time_format", "timeendpos", "timestartpos",
571
+ "truncation_mode", "uri", "uri_path", "uri_query",
572
+ "user", "userAgent", "useragent", "version"],
573
+ "results": [
574
+ {
575
+ "_cd": "54:8568",
576
+ "_indextime": "1355946537",
577
+ "_kv": "1",
578
+ "_raw": "2012-12-19 11:48:55,424 INFO\t[50d21a262616082d0] root:535 - CONFIG: mrsparkle_path (str): /Users/fross/splunks/splunk-4.3.5/share/<sg h=\"1\">search</sg>/mrsparkle",
579
+ "_serial": "731",
580
+ "_si": ["fross-mbp15.local", "_internal"],
581
+ "_sourcetype": "splunk_web_service",
582
+ "_subsecond": ".424",
583
+ "_time": "2012-12-19T11:48:55.424-08:00",
584
+ "component": "root",
585
+ "date_hour": "11",
586
+ "date_mday": "19",
587
+ "date_minute": "48",
588
+ "date_month": "december",
589
+ "date_second": "55",
590
+ "date_wday": "wednesday",
591
+ "date_year": "2012",
592
+ "date_zone": "local",
593
+ "host": "fross-mbp15.local",
594
+ "index": "_internal",
595
+ "line": "535",
596
+ "linecount": "1",
597
+ "log_level": "INFO",
598
+ "message": "CONFIG: mrsparkle_path (str): /Users/fross/splunks/splunk-4.3.5/share/search/mrsparkle",
599
+ "punct": "--_::,_t[]_:_-_:__():_////-..///",
600
+ "requestid": "50d21a262616082d0",
601
+ "source": "/Users/fross/splunks/splunk-4.3.5/var/log/splunk/web_service.log",
602
+ "sourcetype": "splunk_web_service",
603
+ "splunk_server": "fross-mbp15.local",
604
+ "timeendpos": "24",
605
+ "timestartpos": "0"
606
+ },
607
+ {
608
+ "_cd": "54:8562",
609
+ "_indextime": "1355946537",
610
+ "_kv": "1",
611
+ "_raw": "2012-12-19 11:48:55,424 INFO\t[50d21a262616082d0] root:535 - CONFIG: module_dir (str): share/splunk/<sg h=\"1\">search</sg>_mrsparkle/modules",
612
+ "_serial": "732",
613
+ "_si": ["fross-mbp15.local", "_internal"],
614
+ "_sourcetype": "splunk_web_service",
615
+ "_subsecond": ".424",
616
+ "_time": "2012-12-19T11:48:55.424-08:00",
617
+ "component": "root",
618
+ "date_hour": "11",
619
+ "date_mday": "19",
620
+ "date_minute": "48",
621
+ "date_month": "december",
622
+ "date_second": "55",
623
+ "date_wday": "wednesday",
624
+ "date_year": "2012",
625
+ "date_zone": "local",
626
+ "host": "fross-mbp15.local",
627
+ "index": "_internal",
628
+ "line": "535",
629
+ "linecount": "1",
630
+ "log_level": "INFO",
631
+ "message": "CONFIG: module_dir (str): share/splunk/search_mrsparkle/modules",
632
+ "punct": "--_::,_t[]_:_-_:__():_///",
633
+ "requestid": "50d21a262616082d0",
634
+ "source": "/Users/fross/splunks/splunk-4.3.5/var/log/splunk/web_service.log",
635
+ "sourcetype": "splunk_web_service",
636
+ "splunk_server": "fross-mbp15.local",
637
+ "timeendpos": "24",
638
+ "timestartpos": "0"
639
+ },
640
+ {
641
+ "_cd": "54:8674",
642
+ "_indextime": "1355946537",
643
+ "_kv": "1",
644
+ "_raw": "2012-12-19 11:48:55,425 INFO\t[50d21a262616082d0] root:535 - CONFIG: template_dir (str): share/splunk/<sg h=\"1\">search</sg>_mrsparkle/templates",
645
+ "_serial": "728",
646
+ "_si": ["fross-mbp15.local", "_internal"],
647
+ "_sourcetype": "splunk_web_service",
648
+ "_subsecond": ".425",
649
+ "_time": "2012-12-19T11:48:55.425-08:00",
650
+ "component": "root",
651
+ "date_hour": "11",
652
+ "date_mday": "19",
653
+ "date_minute": "48",
654
+ "date_month": "december",
655
+ "date_second": "55",
656
+ "date_wday": "wednesday",
657
+ "date_year": "2012",
658
+ "date_zone": "local",
659
+ "host": "fross-mbp15.local",
660
+ "index": "_internal",
661
+ "line": "535",
662
+ "linecount": "1",
663
+ "log_level": "INFO",
664
+ "message": "CONFIG: template_dir (str): share/splunk/search_mrsparkle/templates",
665
+ "punct": "--_::,_t[]_:_-_:__():_///",
666
+ "requestid": "50d21a262616082d0",
667
+ "source": "/Users/fross/splunks/splunk-4.3.5/var/log/splunk/web_service.log",
668
+ "sourcetype": "splunk_web_service",
669
+ "splunk_server": "fross-mbp15.local",
670
+ "timeendpos": "24",
671
+ "timestartpos": "0"
672
+ },
673
+ {
674
+ "_cd": "54:8662",
675
+ "_indextime": "1355946537",
676
+ "_kv": "1",
677
+ "_raw": "2012-12-19 11:48:55,425 INFO\t[50d21a262616082d0] root:535 - CONFIG: staticdir (str): /Users/fross/splunks/splunk-4.3.5/share/splunk/<sg h=\"1\">search</sg>_mrsparkle/exposed",
678
+ "_serial": "729",
679
+ "_si": ["fross-mbp15.local", "_internal"],
680
+ "_sourcetype": "splunk_web_service",
681
+ "_subsecond": ".425",
682
+ "_time": "2012-12-19T11:48:55.425-08:00",
683
+ "component": "root",
684
+ "date_hour": "11",
685
+ "date_mday": "19",
686
+ "date_minute": "48",
687
+ "date_month": "december",
688
+ "date_second": "55",
689
+ "date_wday": "wednesday",
690
+ "date_year": "2012",
691
+ "date_zone": "local",
692
+ "host": "fross-mbp15.local",
693
+ "index": "_internal",
694
+ "line": "535",
695
+ "linecount": "1",
696
+ "log_level": "INFO",
697
+ "message": "CONFIG: staticdir (str): /Users/fross/splunks/splunk-4.3.5/share/splunk/search_mrsparkle/exposed",
698
+ "punct": "--_::,_t[]_:_-_:__():_////-..////",
699
+ "requestid": "50d21a262616082d0",
700
+ "source": "/Users/fross/splunks/splunk-4.3.5/var/log/splunk/web_service.log",
701
+ "sourcetype": "splunk_web_service",
702
+ "splunk_server": "fross-mbp15.local",
703
+ "timeendpos": "24",
704
+ "timestartpos": "0"
705
+ },
706
+ {
707
+ "_cd": "54:8651",
708
+ "_indextime": "1355946537",
709
+ "_kv": "1",
710
+ "_raw": "2012-12-19 11:48:55,425 INFO\t[50d21a262616082d0] root:535 - CONFIG: static_dir (str): share/splunk/<sg h=\"1\">search</sg>_mrsparkle/exposed",
711
+ "_serial": "730",
712
+ "_si": ["fross-mbp15.local", "_internal"],
713
+ "_sourcetype": "splunk_web_service",
714
+ "_subsecond": ".425",
715
+ "_time": "2012-12-19T11:48:55.425-08:00",
716
+ "component": "root",
717
+ "date_hour": "11",
718
+ "date_mday": "19",
719
+ "date_minute": "48",
720
+ "date_month": "december",
721
+ "date_second": "55",
722
+ "date_wday": "wednesday",
723
+ "date_year": "2012",
724
+ "date_zone": "local",
725
+ "host": "fross-mbp15.local",
726
+ "index": "_internal",
727
+ "line": "535",
728
+ "linecount": "1",
729
+ "log_level": "INFO",
730
+ "message": "CONFIG: static_dir (str): share/splunk/search_mrsparkle/exposed",
731
+ "punct": "--_::,_t[]_:_-_:__():_///",
732
+ "requestid": "50d21a262616082d0",
733
+ "source": "/Users/fross/splunks/splunk-4.3.5/var/log/splunk/web_service.log",
734
+ "sourcetype": "splunk_web_service",
735
+ "splunk_server": "fross-mbp15.local",
736
+ "timeendpos": "24",
737
+ "timestartpos": "0"
738
+ },
739
+ {
740
+ "_cd": "54:9267",
741
+ "_indextime": "1355946552",
742
+ "_kv": "1",
743
+ "_raw": "12-19-2012 11:49:12.313 -0800 INFO Metrics - group=<sg h=\"1\">search</sg>_concurrency, system total, active_hist_searches=0, active_realtime_searches=0",
744
+ "_serial": "726",
745
+ "_si": ["fross-mbp15.local", "_internal"],
746
+ "_sourcetype": "splunkd",
747
+ "_subsecond": ".313",
748
+ "_time": "2012-12-19T11:49:12.313-08:00",
749
+ "active_hist_searches": "0",
750
+ "active_realtime_searches": "0",
751
+ "component": "Metrics",
752
+ "date_hour": "11",
753
+ "date_mday": "19",
754
+ "date_minute": "49",
755
+ "date_month": "december",
756
+ "date_second": "12",
757
+ "date_wday": "wednesday",
758
+ "date_year": "2012",
759
+ "date_zone": "-480",
760
+ "group": "search_concurrency",
761
+ "host": "fross-mbp15.local",
762
+ "index": "_internal",
763
+ "linecount": "1",
764
+ "log_level": "INFO",
765
+ "message": "group=search_concurrency, system total, active_hist_searches=0, active_realtime_searches=0",
766
+ "punct": "--_::._-____-_=,__,_=,_=",
767
+ "source": "/Users/fross/splunks/splunk-4.3.5/var/log/splunk/metrics.log",
768
+ "sourcetype": "splunkd",
769
+ "splunk_server": "fross-mbp15.local",
770
+ "timeendpos": "29",
771
+ "timestartpos": "0"
772
+ },
773
+ {
774
+ "_cd": "54:9262",
775
+ "_indextime": "1355946552",
776
+ "_kv": "1",
777
+ "_raw": "12-19-2012 11:49:12.313 -0800 INFO Metrics - group=realtime_<sg h=\"1\">search</sg>_data, system total, drop_count=0",
778
+ "_serial": "727",
779
+ "_si": ["fross-mbp15.local", "_internal"],
780
+ "_sourcetype": "splunkd",
781
+ "_subsecond": ".313",
782
+ "_time": "2012-12-19T11:49:12.313-08:00",
783
+ "component": "Metrics",
784
+ "date_hour": "11",
785
+ "date_mday": "19",
786
+ "date_minute": "49",
787
+ "date_month": "december",
788
+ "date_second": "12",
789
+ "date_wday": "wednesday",
790
+ "date_year": "2012",
791
+ "date_zone": "-480",
792
+ "drop_count": "0",
793
+ "group": "realtime_search_data",
794
+ "host": "fross-mbp15.local",
795
+ "index": "_internal",
796
+ "linecount": "1",
797
+ "log_level": "INFO",
798
+ "message": "group=realtime_search_data, system total, drop_count=0",
799
+ "punct": "--_::._-____-_=,__,_=",
800
+ "source": "/Users/fross/splunks/splunk-4.3.5/var/log/splunk/metrics.log",
801
+ "sourcetype": "splunkd",
802
+ "splunk_server": "fross-mbp15.local",
803
+ "timeendpos": "29",
804
+ "timestartpos": "0"
805
+ },
806
+ {
807
+ "_cd": "54:9769",
808
+ "_indextime": "1355946583",
809
+ "_kv": "1",
810
+ "_raw": "12-19-2012 11:49:43.322 -0800 INFO Metrics - group=<sg h=\"1\">search</sg>_concurrency, system total, active_hist_searches=0, active_realtime_searches=0",
811
+ "_serial": "724",
812
+ "_si": ["fross-mbp15.local", "_internal"],
813
+ "_sourcetype": "splunkd",
814
+ "_subsecond": ".322",
815
+ "_time": "2012-12-19T11:49:43.322-08:00",
816
+ "active_hist_searches": "0",
817
+ "active_realtime_searches": "0",
818
+ "component": "Metrics",
819
+ "date_hour": "11",
820
+ "date_mday": "19",
821
+ "date_minute": "49",
822
+ "date_month": "december",
823
+ "date_second": "43",
824
+ "date_wday": "wednesday",
825
+ "date_year": "2012",
826
+ "date_zone": "-480",
827
+ "group": "search_concurrency",
828
+ "host": "fross-mbp15.local",
829
+ "index": "_internal",
830
+ "linecount": "1",
831
+ "log_level": "INFO",
832
+ "message": "group=search_concurrency, system total, active_hist_searches=0, active_realtime_searches=0",
833
+ "punct": "--_::._-____-_=,__,_=,_=",
834
+ "source": "/Users/fross/splunks/splunk-4.3.5/var/log/splunk/metrics.log",
835
+ "sourcetype": "splunkd",
836
+ "splunk_server": "fross-mbp15.local",
837
+ "timeendpos": "29",
838
+ "timestartpos": "0"
839
+ },
840
+ {
841
+ "_cd": "54:9764",
842
+ "_indextime": "1355946583",
843
+ "_kv": "1",
844
+ "_raw": "12-19-2012 11:49:43.322 -0800 INFO Metrics - group=realtime_<sg h=\"1\">search</sg>_data, system total, drop_count=0",
845
+ "_serial": "725",
846
+ "_si": ["fross-mbp15.local", "_internal"],
847
+ "_sourcetype": "splunkd",
848
+ "_subsecond": ".322",
849
+ "_time": "2012-12-19T11:49:43.322-08:00",
850
+ "component": "Metrics",
851
+ "date_hour": "11",
852
+ "date_mday": "19",
853
+ "date_minute": "49",
854
+ "date_month": "december",
855
+ "date_second": "43",
856
+ "date_wday": "wednesday",
857
+ "date_year": "2012",
858
+ "date_zone": "-480",
859
+ "drop_count": "0",
860
+ "group": "realtime_search_data",
861
+ "host": "fross-mbp15.local",
862
+ "index": "_internal",
863
+ "linecount": "1",
864
+ "log_level": "INFO",
865
+ "message": "group=realtime_search_data, system total, drop_count=0",
866
+ "punct": "--_::._-____-_=,__,_=",
867
+ "source": "/Users/fross/splunks/splunk-4.3.5/var/log/splunk/metrics.log",
868
+ "sourcetype": "splunkd",
869
+ "splunk_server": "fross-mbp15.local",
870
+ "timeendpos": "29",
871
+ "timestartpos": "0"
872
+ },
873
+ {
874
+ "_cd": "54:10097",
875
+ "_indextime": "1355946614",
876
+ "_kv": "1",
877
+ "_raw": "12-19-2012 11:50:14.351 -0800 INFO Metrics - group=<sg h=\"1\">search</sg>_concurrency, system total, active_hist_searches=0, active_realtime_searches=0",
878
+ "_serial": "722",
879
+ "_si": ["fross-mbp15.local", "_internal"],
880
+ "_sourcetype": "splunkd",
881
+ "_subsecond": ".351",
882
+ "_time": "2012-12-19T11:50:14.351-08:00",
883
+ "active_hist_searches": "0",
884
+ "active_realtime_searches": "0",
885
+ "component": "Metrics",
886
+ "date_hour": "11",
887
+ "date_mday": "19",
888
+ "date_minute": "50",
889
+ "date_month": "december",
890
+ "date_second": "14",
891
+ "date_wday": "wednesday",
892
+ "date_year": "2012",
893
+ "date_zone": "-480",
894
+ "group": "search_concurrency",
895
+ "host": "fross-mbp15.local",
896
+ "index": "_internal",
897
+ "linecount": "1",
898
+ "log_level": "INFO",
899
+ "message": "group=search_concurrency, system total, active_hist_searches=0, active_realtime_searches=0",
900
+ "punct": "--_::._-____-_=,__,_=,_=",
901
+ "source": "/Users/fross/splunks/splunk-4.3.5/var/log/splunk/metrics.log",
902
+ "sourcetype": "splunkd",
903
+ "splunk_server": "fross-mbp15.local",
904
+ "timeendpos": "29",
905
+ "timestartpos": "0"
906
+ }
907
+ ]
908
+ },
909
+ "results-empty": {
910
+ "is_preview": null,
911
+ "fields": [],
912
+ "results": []
913
+ }
914
+ },
915
+ "4.2.5": {
916
+ "results-empty": {
917
+ "is_preview": null,
918
+ "fields": [],
919
+ "results": []
920
+ },
921
+ "results-preview": {
922
+ "is_preview": true,
923
+ "fields": ["_indextime", "_kv", "_raw", "_serial", "_sourcetype",
924
+ "_subsecond", "_time", "active_streams", "blocking",
925
+ "bytes", "client_app", "clientip", "component", "count",
926
+ "date_hour", "date_mday", "date_minute", "date_month",
927
+ "date_second", "date_wday", "date_year", "date_zone",
928
+ "display_row_numbers", "earliest",
929
+ "enable_event_actions", "enable_field_actions",
930
+ "entity_name", "eventtype", "field_list", "file",
931
+ "fillcontents", "filter", "host", "ident", "index",
932
+ "length", "linecount", "log_level", "max_block_secs",
933
+ "max_lines", "max_lines_constraint", "max_pages",
934
+ "message", "method", "min_freq", "min_lines", "offset",
935
+ "other", "output_mode", "output_time_format", "punct",
936
+ "q", "queue_size", "referer", "referer_domain",
937
+ "req_time", "reverse_order", "root", "s", "segmentation",
938
+ "show_empty_fields", "sid", "source", "sourcetype",
939
+ "spent", "splunk_server", "status", "time_format",
940
+ "timeendpos", "timestartpos", "truncation_mode", "uri",
941
+ "uri_path", "uri_query", "user", "useragent", "version"],
942
+ "results": [
943
+ {
944
+ "_indextime": "1355947338",
945
+ "_kv": "1",
946
+ "_raw": "12-19-2012 12:02:18.172 -0800 INFO IndexProcessor - rtsearch connection established, filter = '[ AND <sg h=\"1\">index::_internal</sg> <sg h=\"1\">search</sg> ]', active_streams = 1, queue_size = 10000, blocking = FALSE, max_block_secs = 0",
947
+ "_serial": "0",
948
+ "_sourcetype": "splunkd",
949
+ "_subsecond": ".172",
950
+ "_time": "2012-12-19T12:02:18.172-08:00",
951
+ "active_streams": "1",
952
+ "blocking": "FALSE",
953
+ "component": "IndexProcessor",
954
+ "date_hour": "12",
955
+ "date_mday": "19",
956
+ "date_minute": "2",
957
+ "date_month": "december",
958
+ "date_second": "18",
959
+ "date_wday": "wednesday",
960
+ "date_year": "2012",
961
+ "date_zone": "-480",
962
+ "eventtype": "splunkd-log",
963
+ "filter": "'[ AND index::_internal search ]'",
964
+ "host": "fross-mbp15.local",
965
+ "index": "_internal",
966
+ "linecount": "1",
967
+ "log_level": "INFO",
968
+ "max_block_secs": "0",
969
+ "message": "rtsearch connection established, filter = '[ AND index::_internal search ]', active_streams = 1, queue_size = 10000, blocking = FALSE, max_block_secs = 0",
970
+ "punct": "--_::._-____-___,__=_'[__::__]',__=_,__=_,__=_,__=",
971
+ "queue_size": "10000",
972
+ "source": "/Users/fross/splunks/splunk-4.2.5.6/var/log/splunk/splunkd.log",
973
+ "sourcetype": "splunkd",
974
+ "splunk_server": "fross-mbp15.local",
975
+ "timeendpos": "29",
976
+ "timestartpos": "11"
977
+ },
978
+ {
979
+ "_indextime": "1355947338",
980
+ "_kv": "1",
981
+ "_raw": "2012-12-19 12:02:18,066 - admin\t<sg h=\"1\">search</sg> <sg h=\"1\">search</sg> index=_internal | head 10",
982
+ "_serial": "1",
983
+ "_sourcetype": "searches",
984
+ "_subsecond": ".066",
985
+ "_time": "2012-12-19T12:02:18.066-08:00",
986
+ "date_hour": "12",
987
+ "date_mday": "19",
988
+ "date_minute": "2",
989
+ "date_month": "december",
990
+ "date_second": "18",
991
+ "date_wday": "wednesday",
992
+ "date_year": "2012",
993
+ "date_zone": "local",
994
+ "host": "fross-mbp15.local",
995
+ "index": "_internal",
996
+ "linecount": "1",
997
+ "punct": "--_::,_-_t__=_|__",
998
+ "source": "/Users/fross/splunks/splunk-4.2.5.6/var/log/splunk/searches.log",
999
+ "sourcetype": "searches",
1000
+ "splunk_server": "fross-mbp15.local",
1001
+ "timeendpos": "24",
1002
+ "timestartpos": "11"
1003
+ }
1004
+ ]
1005
+ },
1006
+ "results": {
1007
+ "is_preview": false,
1008
+ "fields": ["_cd", "_indextime", "_kv", "_raw", "_serial", "_si",
1009
+ "_sourcetype", "_subsecond", "_time",
1010
+ "active_hist_searches", "active_realtime_searches",
1011
+ "alert_actions", "app", "autoload", "bytes", "clientip",
1012
+ "component", "cookie", "date_hour", "date_mday",
1013
+ "date_minute", "date_month", "date_second", "date_wday",
1014
+ "date_year", "date_zone", "dispatch_time", "drop_count",
1015
+ "earliest", "eventtype", "file", "group", "host",
1016
+ "ident", "index", "line", "linecount", "log_level",
1017
+ "message", "method", "other", "punct", "q", "referer",
1018
+ "referer_domain", "req_time", "requestid",
1019
+ "result_count", "return_to", "root", "run_time",
1020
+ "savedsearch_id", "savedsearch_name", "scheduled_time",
1021
+ "sid", "source", "sourcetype", "spent", "splunk_server",
1022
+ "status", "suppressed", "thread_id", "timeendpos",
1023
+ "timestartpos", "trigger_condition_state", "uri",
1024
+ "uri_domain", "uri_path", "uri_query", "user",
1025
+ "useragent", "version"],
1026
+ "results": [
1027
+ {
1028
+ "_cd": "1:5282",
1029
+ "_indextime": "1355947283",
1030
+ "_kv": "1",
1031
+ "_raw": "127.0.0.1 - admin [19/Dec/2012:12:01:22.845 -0800] \"GET /services/<sg h=\"1\">search</sg>/timeparser/tz HTTP/1.1\" 200 2891 - - - 1ms",
1032
+ "_serial": "0",
1033
+ "_si": ["fross-mbp15.local", "_internal"],
1034
+ "_sourcetype": "splunkd_access",
1035
+ "_subsecond": ".845",
1036
+ "_time": "2012-12-19T12:01:22.845-08:00",
1037
+ "bytes": "2891",
1038
+ "clientip": "127.0.0.1",
1039
+ "date_hour": "12",
1040
+ "date_mday": "19",
1041
+ "date_minute": "1",
1042
+ "date_month": "december",
1043
+ "date_second": "22",
1044
+ "date_wday": "wednesday",
1045
+ "date_year": "2012",
1046
+ "date_zone": "-480",
1047
+ "eventtype": "splunkd-access",
1048
+ "file": "tz",
1049
+ "host": "fross-mbp15.local",
1050
+ "ident": "-",
1051
+ "index": "_internal",
1052
+ "linecount": "1",
1053
+ "method": "GET",
1054
+ "other": "- - - 1ms",
1055
+ "punct": "..._-__[//:::._-]_\"_////_/.\"___-_-_-_",
1056
+ "req_time": "19/Dec/2012:12:01:22.845 -0800",
1057
+ "root": "services",
1058
+ "source": "/Users/fross/splunks/splunk-4.2.5.6/var/log/splunk/splunkd_access.log",
1059
+ "sourcetype": "splunkd_access",
1060
+ "spent": "1",
1061
+ "splunk_server": "fross-mbp15.local",
1062
+ "status": "200",
1063
+ "timeendpos": "49",
1064
+ "timestartpos": "31",
1065
+ "uri": "/services/search/timeparser/tz",
1066
+ "uri_path": "/services/search/timeparser/tz",
1067
+ "user": "admin",
1068
+ "version": "HTTP/1.1"
1069
+ }, {
1070
+ "_cd": "1:5211",
1071
+ "_indextime": "1355947283",
1072
+ "_kv": "1",
1073
+ "_raw": "127.0.0.1 - admin [19/Dec/2012:12:01:22.762 -0800] \"POST /en-US/account/login HTTP/1.1\" 200 1897 \"http://localhost:8000/en-US/account/login?return_to=%2Fen-US%2Fapp%2Fsearch%2Fflashtimeline%3Fq%3D<sg h=\"1\">search</sg>%2520<sg h=\"1\">search</sg>%2520index%253D_internal%2520%257C%2520head%252010%26earliest%3D0\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:17.0) Gecko/20100101 Firefox/17.0\" - 50d21d12c31e60610 35ms",
1074
+ "_serial": "1",
1075
+ "_si": ["fross-mbp15.local", "_internal"],
1076
+ "_sourcetype": "splunk_web_access",
1077
+ "_subsecond": ".762",
1078
+ "_time": "2012-12-19T12:01:22.762-08:00",
1079
+ "bytes": "1897",
1080
+ "clientip": "127.0.0.1",
1081
+ "date_hour": "12",
1082
+ "date_mday": "19",
1083
+ "date_minute": "1",
1084
+ "date_month": "december",
1085
+ "date_second": "22",
1086
+ "date_wday": "wednesday",
1087
+ "date_year": "2012",
1088
+ "date_zone": "-480",
1089
+ "file": "login",
1090
+ "host": "fross-mbp15.local",
1091
+ "ident": "-",
1092
+ "index": "_internal",
1093
+ "linecount": "1",
1094
+ "method": "POST",
1095
+ "other": "- 50d21d12c31e60610 35ms",
1096
+ "punct": "..._-__[//:::._-]_\"_/-//_/.\"___\"://:/-//?=%-%%%%%%",
1097
+ "referer": "http://localhost:8000/en-US/account/login?return_to=%2Fen-US%2Fapp%2Fsearch%2Fflashtimeline%3Fq%3Dsearch%2520search%2520index%253D_internal%2520%257C%2520head%252010%26earliest%3D0",
1098
+ "referer_domain": "http://localhost:8000",
1099
+ "req_time": "19/Dec/2012:12:01:22.762 -0800",
1100
+ "return_to": "%2Fen-US%2Fapp%2Fsearch%2Fflashtimeline%3Fq%3Dsearch%2520search%2520index%253D_internal%2520%257C%2520head%252010%26earliest%3D0",
1101
+ "root": "en-US",
1102
+ "source": "/Users/fross/splunks/splunk-4.2.5.6/var/log/splunk/web_access.log",
1103
+ "sourcetype": "splunk_web_access",
1104
+ "spent": "35",
1105
+ "splunk_server": "fross-mbp15.local",
1106
+ "status": "200",
1107
+ "timeendpos": "49",
1108
+ "timestartpos": "31",
1109
+ "uri": "/en-US/account/login",
1110
+ "uri_path": "/en-US/account/login",
1111
+ "user": "admin",
1112
+ "useragent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:17.0) Gecko/20100101 Firefox/17.0",
1113
+ "version": "HTTP/1.1"
1114
+ }
1115
+ ]
1116
+ }
1117
+ }
1118
+ }
1119
+