Databases Reference
In-Depth Information
Running the previous command on the preceding event, we see the entire event
reversed, as shown in the following code:
]resuartxe=resu ,348=emit_qer ,.3.2.1=pi ,adnil=resu[ .yppah eb ,yrrow
t'noD GUBED 0000+616.12:01:22T72-01-2102
We can then add the
words
argument:
* | head 10 | reverseraw words=true
We maintain the order of the words, as shown in the following code:
2012-10-27T22:10:21.616+0000 GUBED t'noD yrrow, eb yppah. [resu=adnil,
pi=1.2.3., qer_emit=843, resu=resuartxe]
For fun, let's reverse the event again:
* | head 10 | reverseraw words=true | reverseraw
This gives us the following output:
]extrauser=user ,348=time_req ,.3.2.1=ip ,linda=user[ .happy be ,worry
Don't DEBUG 0000+616.12:01:22T72-01-2102
happy be, worry Don't
—Yoda could not have said it better.
Transforming data
So far, our commands have returned the original events with modifications to their
fields. Commands can also transform data, much like the built-in functions
top
and
stats
. Let's write a function to count the words in our events. You can find this
example in
ImplementingSplunkExtendingExamples/bin/countwords.py
:
import splunk.Intersplunk as si
import re
import operator
from collections import defaultdict
#create a class that does the actual work
class WordCounter:
word_counts = defaultdict(int)
unique_word_counts = defaultdict(int)
rowcount = 0
casesensitive = False
mincount = 50
minwordlength = 3
def process_event(self, input):
Search WWH ::
Custom Search