Created
December 30, 2015 03:40
-
-
Save bicubic/c0d79bd7b85c52580345 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "cells": [ | |
| { | |
| "cell_type": "markdown", | |
| "metadata": {}, | |
| "source": [ | |
| "<h1>Splunk Magic</h1>" | |
| ] | |
| }, | |
| { | |
| "cell_type": "markdown", | |
| "metadata": {}, | |
| "source": [ | |
| "<table class=\"nb_heading\">\n", | |
| "<tr>\n", | |
| "<td>\n", | |
| " Project: Savvi @ NBN<br/>\n", | |
| " Written: 12/12/2015<br/>\n", | |
| " Author: Serge Rogov<br/>\n", | |
| " Security: <span class=\"nb_sec nb_public\">Public</span><br/>\n", | |
| "</td>\n", | |
| "<td style=\"width: 50%\">\n", | |
| " \n", | |
| " <div class=\"savvi-logo\" style=\"height: 4em; background-position: right 0px\"></div>\n", | |
| "</td>\n", | |
| "</tr>\n", | |
| "</table>" | |
| ] | |
| }, | |
| { | |
| "cell_type": "code", | |
| "execution_count": 1, | |
| "metadata": { | |
| "collapsed": false | |
| }, | |
| "outputs": [ | |
| { | |
| "name": "stdout", | |
| "output_type": "stream", | |
| "text": [ | |
| "Populating the interactive namespace from numpy and matplotlib\n" | |
| ] | |
| } | |
| ], | |
| "source": [ | |
| "%pylab inline" | |
| ] | |
| }, | |
| { | |
| "cell_type": "code", | |
| "execution_count": 2, | |
| "metadata": { | |
| "collapsed": false | |
| }, | |
| "outputs": [ | |
| { | |
| "data": { | |
| "text/html": [ | |
| "<style>\n", | |
| ".nb_heading{\n", | |
| "width: 100%;\n", | |
| "border: 0 !important;\n", | |
| "text-align: left;\n", | |
| "}\n", | |
| "\n", | |
| ".nb_heading tr{\n", | |
| "border: none;\n", | |
| "margin: 0;\n", | |
| "padding: 0;\n", | |
| "}\n", | |
| "\n", | |
| ".nb_heading td{\n", | |
| "border: none;\n", | |
| "margin: 0;\n", | |
| "padding: 0;\n", | |
| "}\n", | |
| "\n", | |
| ".nb_sec{\n", | |
| "border-radius: 0.2em;\n", | |
| "padding: 0.2em;\n", | |
| "}\n", | |
| "\n", | |
| ".nb_internal{\n", | |
| "background-color: red;\n", | |
| "color: white;\n", | |
| "}\n", | |
| "\n", | |
| ".nb_confidential{\n", | |
| "background-color: red;\n", | |
| "color: white;\n", | |
| "}\n", | |
| "\n", | |
| ".nb_public{\n", | |
| "background-color: hsl(111, 87%, 55%);\n", | |
| "}\n", | |
| "\n", | |
| " \n", | |
| ".nb_message{\n", | |
| " background-color: rgba(0, 24, 0, 0.05);\n", | |
| " border-left: 0.3em solid gray;\n", | |
| " border-radius: 0.15em;\n", | |
| " padding: 0.2em;\n", | |
| " padding-left: 0.3em;\n", | |
| " margin-bottom: 0.2em;\n", | |
| "}\n", | |
| "\n", | |
| ".nb_message.nb_error{\n", | |
| " background-color: rgba(255, 24, 77, 0.1);\n", | |
| " border-left: 0.3em solid red;\n", | |
| "}\n", | |
| "\n", | |
| ".nb_message.nb_warning{\n", | |
| " background-color: rgba(255, 184, 24, 0.2);\n", | |
| " border-left: 0.3em solid orange !important;\n", | |
| "}\n", | |
| " \n", | |
| ".savvi-logo {\n", | |
| " background: url(data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiIHN0YW5kYWxvbmU9Im5vIj8+Cjxzdmcgd2lkdGg9IjU4NHB4IiBoZWlnaHQ9IjE3MnB4IiB2aWV3Qm94PSIwIDAgNTg0IDE3MiIgdmVyc2lvbj0iMS4xIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB4bWxuczpza2V0Y2g9Imh0dHA6Ly93d3cuYm9oZW1pYW5jb2RpbmcuY29tL3NrZXRjaC9ucyI+CiAgICA8IS0tIEdlbmVyYXRvcjogU2tldGNoIDMuNCAoMTU1ODgpIC0gaHR0cDovL3d3dy5ib2hlbWlhbmNvZGluZy5jb20vc2tldGNoIC0tPgogICAgPHRpdGxlPnNhdnZpLWxvZ288L3RpdGxlPgogICAgPGRlc2M+Q3JlYXRlZCB3aXRoIFNrZXRjaC48L2Rlc2M+CiAgICA8ZGVmcz4KICAgICAgICA8cGF0aCBpZD0icGF0aC0xIiBkPSJNMC4wNiwwLjQwMiBMNTgzLjc4MSwwLjQwMiBMNTgzLjc4MSwxNzIgTDAuMDYsMTcyIj48L3BhdGg+CiAgICA8L2RlZnM+CiAgICA8ZyBpZD0iUGFnZS0xIiBzdHJva2U9Im5vbmUiIHN0cm9rZS13aWR0aD0iMSIgZmlsbD0ibm9uZSIgZmlsbC1ydWxlPSJldmVub2RkIiBza2V0Y2g6dHlwZT0iTVNQYWdlIj4KICAgICAgICA8ZyBpZD0ic2F2dmktbG9nbyIgc2tldGNoOnR5cGU9Ik1TTGF5ZXJHcm91cCI+CiAgICAgICAgICAgIDxwYXRoIGQ9Ik01MDkuMDU3LDExOC45MTggQzUwNS4zMzEsMTE0LjIwNSA1MDUuMzMyLDEwNy41NzIgNTA5LjA1OCwxMDIuODYgTDQ5MC45NjEsODQuNzYyIEM0ODkuNDE5LDg1Ljk4MSA0ODcuNjYsODYuNzU3IDQ4NS44MzYsODcuMTg2IEw0ODUuODM2LDEzNC41OTIgQzQ4Ny42NTksMTM1LjAyMSA0ODkuNDE5LDEzNS43OTYgNDkwLjk2LDEzNy4wMTUgTDUwOS4wNTcsMTE4LjkxOCIgaWQ9IkZpbGwtMSIgZmlsbD0iI0RGNUUzMSIgc2tldGNoOnR5cGU9Ik1TU2hhcGVHcm91cCI+PC9wYXRoPgogICAgICAgICAgICA8cGF0aCBkPSJNNDkwLjI2LDE1Ny45MTIgQzQ4OS41MzMsMTU4LjQwOSA0ODguNzU5LDE1OC43OTMgNDg3Ljk2OSwxNTkuMTI1IEM0ODkuMzAxLDE2MS43NzggNDkxLjE5OCwxNjQuMDkgNDkzLjUxNCwxNjUuOTA2IEw0OTUuNDc2LDE2NS4xODMgTDQ5MC4yNiwxNTcuOTEyIiBpZD0iRmlsbC0yIiBmaWxsPSIjQzI0MTJEIiBza2V0Y2g6dHlwZT0iTVNTaGFwZUdyb3VwIj48L3BhdGg+CiAgICAgICAgICAgIDxwYXRoIGQ9Ik01MzcuMjIxLDY0LjQzOSBDNTQyLjMyOSw2MC4zOTkgNTQ5LjczNSw2MC42OCA1NTQuNDUyLDY1LjM5OCBDNTU5LjE3LDcwLjExNSA1NTkuNDUxLDc3LjUyMSA1NTUuNDExLDgyLjYzIEw1NzMuNTA5LDEwMC43MjcgQzU3Ni40ODQsOTguMzc1IDU4MC4yMzIsOTcuNTM0IDU4My43ODEsOTguMTM1IEw1ODMuNzgxLDcxLjYgQzU4My43ODEsNjAuNTU5IDU3NC44Myw1MS42MDggNTYzLjc4OSw1MS42MDggTDUyNC4zOSw1MS42MDggTDUzNy4yMjEsNjQuNDM5IiBpZD0iRmlsbC0zIiBmaWxsPSIjRUI5NDJEIiBza2V0Y2g6dHlwZT0iTVNTaGFwZUdyb3VwIj48L3BhdGg+CiAgICAgICAgICAgIDxwYXRoIGQ9Ik01MzIuMzQ2LDkzLjEwNiBMNTI3LjAxNiwxMDAuNTM3IEM1MjcuNDk3LDEwMC44OTkgNTI3Ljk4NSwxMDEuMjQ4IDUyOC40MjMsMTAxLjY4NiBDNTMzLjUwNSwxMDYuNzY5IDUzMy41MDUsMTE1LjAwOSA1MjguNDIzLDEyMC4wOTIgQzUyNy45ODUsMTIwLjUyOSA1MjcuNDk3LDEyMC44NzggNTI3LjAxNywxMjEuMjQgTDUzMi4zNDYsMTI4LjY3IEw1NjkuMjY3LDExNS4wODIgQzU2OC4zNDEsMTEyLjM2IDU2OC4zNDEsMTA5LjQxNiA1NjkuMjY4LDEwNi42OTQgTDUzMi4zNDYsOTMuMTA2IiBpZD0iRmlsbC00IiBmaWxsPSIjREY1RTMxIiBza2V0Y2g6dHlwZT0iTVNTaGFwZUdyb3VwIj48L3BhdGg+CiAgICAgICAgICAgIDxwYXRoIGQ9Ik01MjYuNTQ3LDEwMC4xNTQgTDUzMS43NTcsOTIuODkgTDQ5NS4wMyw3OS4zNzQgQzQ5NC41NzMsODAuNTM0IDQ5My44OTYsODEuNjE0IDQ5My4wOTMsODIuNjMgTDUxMS4xOTEsMTAwLjcyNyBDNTE1LjY2Nyw5Ny4xODggNTIxLjg5MSw5Ni45NyA1MjYuNTQ3LDEwMC4xNTQiIGlkPSJGaWxsLTUiIGZpbGw9IiNFNzc5MzMiIHNrZXRjaDp0eXBlPSJNU1NoYXBlR3JvdXAiPjwvcGF0aD4KICAgICAgICAgICAgPHBhdGggZD0iTTUzMy4xNTEsNjkuODI3IEM1MzMuNjA4LDY4LjY2NiA1MzQuMjg1LDY3LjU4NyA1MzUuMDg4LDY2LjU3MSBMNTIwLjEyNSw1MS42MDggTDQ5OS43OTcsNTEuNjA4IEw0OTYuNDI0LDU2LjMxMSBMNTMzLjE1MSw2OS44MjciIGlkPSJGaWxsLTYiIGZpbGw9IiNFQjk0MkQiIHNrZXRjaDp0eXBlPSJNU1NoYXBlR3JvdXAiPjwvcGF0aD4KICAgICAgICAgICAgPHBhdGggZD0iTTUzMS43NTcsMTI4Ljg4NyBMNTI2LjU0NywxMjEuNjI0IEM1MjEuODkxLDEyNC44MDggNTE1LjY2NiwxMjQuNTkgNTExLjE5LDEyMS4wNSBMNDkzLjA5MywxMzkuMTQ3IEM0OTMuODk2LDE0MC4xNjMgNDk0LjU3MywxNDEuMjQzIDQ5NS4wMywxNDIuNDAzIEw1MzEuNzU3LDEyOC44ODciIGlkPSJGaWxsLTciIGZpbGw9IiNEODQ5MkMiIHNrZXRjaDp0eXBlPSJNU1NoYXBlR3JvdXAiPjwvcGF0aD4KICAgICAgICAgICAgPHBhdGggZD0iTTQ5MC43MjksNjQuMjUgQzQ5MS4yMDksNjQuNjEyIDQ5MS42OTcsNjQuOTYgNDkyLjEzNCw2NS4zOTggQzQ5NS43NjEsNjkuMDI0IDQ5Ni43NTEsNzQuMjQ3IDQ5NS4yMDIsNzguNzk0IEw1MzIuMTIyLDkyLjM4MSBMNTM3LjQ1Miw4NC45NTEgQzUzNi45NzIsODQuNTg5IDUzNi40ODQsODQuMjQxIDUzNi4wNDcsODMuODA0IEM1MzIuNDIsODAuMTc3IDUzMS40Myw3NC45NTQgNTMyLjk3OSw3MC40MDYgTDQ5Ni4wNTksNTYuODE5IEw0OTAuNzI5LDY0LjI1IiBpZD0iRmlsbC04IiBmaWxsPSIjRUI5NDJEIiBza2V0Y2g6dHlwZT0iTVNTaGFwZUdyb3VwIj48L3BhdGg+CiAgICAgICAgICAgIDxwYXRoIGQ9Ik01NTMuMjc5LDg0Ljc2MiBDNTQ4LjgwMiw4OC4zMDIgNTQyLjU3Nyw4OC41MiA1MzcuOTIxLDg1LjMzNSBMNTMyLjcxMSw5Mi41OTggTDU2OS40NCwxMDYuMTE1IEM1NjkuODk3LDEwNC45NTQgNTcwLjU3MywxMDMuODc1IDU3MS4zNzcsMTAyLjg1OSBMNTUzLjI3OSw4NC43NjIiIGlkPSJGaWxsLTkiIGZpbGw9IiNFNzc5MzMiIHNrZXRjaDp0eXBlPSJNU1NoYXBlR3JvdXAiPjwvcGF0aD4KICAgICAgICAgICAgPHBhdGggZD0iTTU1My4yNzksMTM3LjAxNiBMNTcxLjM3NiwxMTguOTE4IEM1NzAuNTczLDExNy45MDIgNTY5Ljg5NiwxMTYuODIyIDU2OS40MzksMTE1LjY2MiBMNTMyLjcxMSwxMjkuMTc5IEw1MzcuOTIyLDEzNi40NDMgQzU0Mi41NzgsMTMzLjI1OCA1NDguODAyLDEzMy40NzYgNTUzLjI3OSwxMzcuMDE2IiBpZD0iRmlsbC0xMCIgZmlsbD0iI0Q4NDkyQyIgc2tldGNoOnR5cGU9Ik1TU2hhcGVHcm91cCI+PC9wYXRoPgogICAgICAgICAgICA8cGF0aCBkPSJNNDk1LjgzNSw1Ni4wOTQgTDQ5OS4wNTMsNTEuNjA4IEw0ODUuODM2LDUxLjYwOCBMNDg1LjgzNiw1Mi40MTUgTDQ5NS44MzUsNTYuMDk0IiBpZD0iRmlsbC0xMSIgZmlsbD0iI0VCOTQyRCIgc2tldGNoOnR5cGU9Ik1TU2hhcGVHcm91cCI+PC9wYXRoPgogICAgICAgICAgICA8cGF0aCBkPSJNNTczLjUwOCwxMjEuMDUgTDU1NS40MTEsMTM5LjE0OCBDNTU5LjQ1MSwxNDQuMjU2IDU1OS4xNywxNTEuNjYzIDU1NC40NTIsMTU2LjM4IEM1NDkuNzM1LDE2MS4wOTggNTQyLjMyOSwxNjEuMzc4IDUzNy4yMiwxNTcuMzM5IEw1MjQuMzksMTcwLjE3IEw1NjMuNzg5LDE3MC4xNyBDNTc0LjgzLDE3MC4xNyA1ODMuNzgxLDE2MS4yMTkgNTgzLjc4MSwxNTAuMTc4IEw1ODMuNzgxLDEyMy42NDMgQzU4MC4yMzIsMTI0LjI0NCA1NzYuNDgzLDEyMy40MDMgNTczLjUwOCwxMjEuMDUiIGlkPSJGaWxsLTEyIiBmaWxsPSIjQzI0MTJEIiBza2V0Y2g6dHlwZT0iTVNTaGFwZUdyb3VwIj48L3BhdGg+CiAgICAgICAgICAgIDxwYXRoIGQ9Ik00ODUuODM2LDYxLjk3NiBDNDg3LjM4OCw2Mi4zMjcgNDg4Ljg5NCw2Mi45MzIgNDkwLjI2LDYzLjg2NiBMNDk1LjQ3LDU2LjYwMiBMNDg1LjgzNiw1My4wNTcgTDQ4NS44MzYsNjEuOTc2IiBpZD0iRmlsbC0xMyIgZmlsbD0iI0VCOTQyRCIgc2tldGNoOnR5cGU9Ik1TU2hhcGVHcm91cCI+PC9wYXRoPgogICAgICAgICAgICA8cGF0aCBkPSJNNTM3LjQ1MiwxMzYuODI2IEw1MzIuMTIyLDEyOS4zOTYgTDQ5NS4yMDIsMTQyLjk4MyBDNDk2Ljc1MSwxNDcuNTMxIDQ5NS43NjEsMTUyLjc1MyA0OTIuMTM0LDE1Ni4zOCBDNDkxLjY5NywxNTYuODE4IDQ5MS4yMDksMTU3LjE2NiA0OTAuNzI5LDE1Ny41MjggTDQ5Ni4wNjUsMTY0Ljk2NiBMNTMyLjk4LDE1MS4zNzMgQzUzMS40MywxNDYuODI1IDUzMi40MTksMTQxLjYwMiA1MzYuMDQ3LDEzNy45NzQgQzUzNi40ODQsMTM3LjUzNyA1MzYuOTcyLDEzNy4xODggNTM3LjQ1MiwxMzYuODI2IiBpZD0iRmlsbC0xNCIgZmlsbD0iI0MyNDEyRCIgc2tldGNoOnR5cGU9Ik1TU2hhcGVHcm91cCI+PC9wYXRoPgogICAgICAgICAgICA8cGF0aCBkPSJNNDk1Ljg0LDE2NS42OTIgTDQ5NC4wOSwxNjYuMzM2IEM0OTUuMjYsMTY3LjE4OCA0OTYuNTE4LDE2Ny45MjUgNDk3Ljg2MiwxNjguNTEgTDQ5NS44NCwxNjUuNjkyIiBpZD0iRmlsbC0xNSIgZmlsbD0iI0MyNDEyRCIgc2tldGNoOnR5cGU9Ik1TU2hhcGVHcm91cCI+PC9wYXRoPgogICAgICAgICAgICA8cGF0aCBkPSJNNTMzLjE1MSwxNTEuOTUzIEw0OTYuNDI5LDE2NS40NzUgTDQ5OC44OTMsMTY4LjkwOSBDNTAxLjA1NiwxNjkuNzEgNTAzLjM4NiwxNzAuMTcgNTA1LjgyOCwxNzAuMTcgTDUyMC4xMjUsMTcwLjE3IEw1MzUuMDg4LDE1NS4yMDcgQzUzNC4yODUsMTU0LjE5MSA1MzMuNjA4LDE1My4xMTIgNTMzLjE1MSwxNTEuOTUzIiBpZD0iRmlsbC0xNiIgZmlsbD0iI0MyNDEyRCIgc2tldGNoOnR5cGU9Ik1TU2hhcGVHcm91cCI+PC9wYXRoPgogICAgICAgICAgICA8cGF0aCBkPSJNMzA4LjIyLDgxLjM0NyBMMzE4LjQzOSw1MS45NDMgQzMxNi40MzQsNTEuMTA4IDMxMy45MjgsNTAuMzU2IDMxMC45Miw0OS42ODYgQzMwNy45MTMsNDkuMDIgMzA0LjczNiw0OC42ODQgMzAxLjM5NSw0OC42ODQgQzMwMC43Myw0OC42ODQgMzAwLjA5OSw0OC43MTkgMjk5LjQ2OSw0OC43NTUgQzI5OC42NzUsNDguOTY4IDI5Ny44NDIsNDguNjY5IDI5Ny4wNzUsNDguOTgiIGlkPSJGaWxsLTE3IiBmaWxsPSIjMEEwQTA4IiBza2V0Y2g6dHlwZT0iTVNTaGFwZUdyb3VwIj48L3BhdGg+CiAgICAgICAgICAgIDxnIGlkPSJHcm91cC0yMSI+CiAgICAgICAgICAgICAgICA8bWFzayBpZD0ibWFzay0yIiBza2V0Y2g6bmFtZT0iQ2xpcCAxOSIgZmlsbD0id2hpdGUiPgogICAgICAgICAgICAgICAgICAgIDx1c2UgeGxpbms6aHJlZj0iI3BhdGgtMSI+PC91c2U+CiAgICAgICAgICAgICAgICA8L21hc2s+CiAgICAgICAgICAgICAgICA8ZyBpZD0iQ2xpcC0xOSI+PC9nPgogICAgICAgICAgICAgICAgPHBhdGggZD0iTTI5Mi44MjMsNTEuMDI1IEwyOTIuNTE0LDUwLjE0MSBDMjg5Ljk0NSw1MS4xNDMgMjg3Ljg4OCw1Mi42NTggMjg2LjM1Nyw1NC42OTkgQzI4My4zNSw1OC43MDkgMjgwLjg0Myw2NC4zMDkgMjc4LjgzOSw3MS40OTMgTDI1OS43OSwxMzYuOTA5IEwyNDEuNzQzLDcyLjI0NCBDMjQwLjc0MSw2OC43MzUgMjM5LjY5NCw2NS41MjEgMjM4LjYxLDYyLjU5NCBDMjM3LjUyMSw1OS42NzMgMjM2LjEwMyw1Ny4yMDYgMjM0LjM0OSw1NS4yIEMyMzIuNTk1LDUzLjE5NSAyMzAuNDIyLDUxLjYwOSAyMjcuODMzLDUwLjQzOCBDMjI1LjI0LDQ5LjI3MSAyMjEuOTQzLDQ4LjY4NCAyMTcuOTMyLDQ4LjY4NCBDMjExLjI0Nyw0OC42ODQgMjA1LjIzMiw0OS43NzIgMTk5Ljg4Niw1MS45NDMgTDI0MS4yNDIsMTY5LjQ5MyBMMjc3LjU4NCwxNjkuNDkzIEwzMDUuODEyLDg4LjI3NSBMMjkyLjgyMyw1MS4wMjUiIGlkPSJGaWxsLTE4IiBmaWxsPSIjMEEwQTA4IiBza2V0Y2g6dHlwZT0iTVNTaGFwZUdyb3VwIiBtYXNrPSJ1cmwoI21hc2stMikiPjwvcGF0aD4KICAgICAgICAgICAgICAgIDxwYXRoIGQ9Ik05MS43MzQsNjMuNDcyIEM5MS43MzQsNjUuOTc5IDkwLjk0LDY4Ljk0NyA4OS4zNTMsNzIuMzY5IEM4Ny43NjQsNzUuNzk3IDg2LjA1Myw3OS4wMTEgODQuMjE2LDgyLjAxOSBDODIuNzExLDgwLjg1MiA4MC43MDcsNzkuNTEyIDc4LjIwMSw3OC4wMDkgQzc1LjY5NCw3Ni41MDUgNzIuOTM2LDc1LjEyNiA2OS45Myw3My44NzQgQzY2LjkyMSw3Mi42MjEgNjMuNzQ1LDcxLjU3OSA2MC40MDUsNzAuNzQxIEM1Ny4wNiw2OS45MDYgNTMuODAyLDY5LjQ4NyA1MC42Myw2OS40ODcgQzQ4Ljc4OSw2OS40ODcgNDYuODcsNjkuNjEzIDQ0Ljg2Niw2OS44NjMgQzQyLjg2LDcwLjExNCA0MS4wNjMsNzAuNjE1IDM5LjQ3Niw3MS4zNjcgQzM3Ljg4Nyw3Mi4xMTggMzYuNTUxLDczLjIwOCAzNS40NjYsNzQuNjI1IEMzNC4zNzgsNzYuMDQ3IDMzLjgzNiw3Ny45MjcgMzMuODM2LDgwLjI2NSBDMzMuODM2LDg1Ljk0NyAzOS45MzUsOTAuMTI2IDUyLjEzMyw5Mi43OTYgQzU3LjE0Niw5My43OTkgNjIuMTE2LDk1LjA5NiA2Ny4wNDcsOTYuNjgxIEM3MS45NzQsOTguMjcyIDc2LjQwMywxMDAuNDg0IDgwLjMzLDEwMy4zMjMgQzg0LjI1NSwxMDYuMTY3IDg3LjQzLDEwOS43NTggODkuODU1LDExNC4xMDIgQzkyLjI3NiwxMTguNDQ5IDkzLjQ5LDEyMy44NzcgOTMuNDksMTMwLjM5MyBDOTMuNDksMTM3LjA3OCA5Mi4xOTMsMTQzLjAxMSA4OS42MDQsMTQ4LjE4OSBDODcuMDEyLDE1My4zNjkgODMuNDY0LDE1Ny43MTMgNzguOTUzLDE2MS4yMjMgQzc0LjQ0MSwxNjQuNzMgNjkuMTM1LDE2Ny40MDUgNjMuMDM3LDE2OS4yNDIgQzU2LjkzNiwxNzEuMDc5IDUwLjI5NCwxNzIgNDMuMTEsMTcyIEMzNS41OTIsMTcyIDI5LjMyNSwxNzEuNDU2IDI0LjMxMiwxNzAuMzcgQzE5LjI5OSwxNjkuMjgyIDE1LjEyMSwxNjcuOTg5IDExLjc4MSwxNjYuNDg2IEM5LjQzOCwxNjUuNDgyIDYuODkzLDE2NC4wMjIgNC4xMzcsMTYyLjA5OSBDMS4zNzksMTYwLjE4IDAsMTU3LjU0OSAwLDE1NC4yMDQgQzAsMTUxLjM2NSAwLjgzNSwxNDguMzk5IDIuNTA3LDE0NS4zMDcgQzQuMTc1LDE0Mi4yMTUgNi4wOTgsMTM5LjAwMSA4LjI3MiwxMzUuNjU2IEM5Ljc3NSwxMzYuOTk1IDExLjY1NSwxMzguMzc0IDEzLjkxMSwxMzkuNzkxIEMxNi4xNjcsMTQxLjIxMyAxOC43NTUsMTQyLjU0OSAyMS42OCwxNDMuODAyIEMyNC42MDMsMTQ1LjA1NSAyNy43MzYsMTQ2LjEwMSAzMS4wOCwxNDYuOTM0IEMzNC40MjEsMTQ3Ljc3NCAzNy44NDcsMTQ4LjE4OSA0MS4zNTYsMTQ4LjE4OSBDNDMuNTI1LDE0OC4xODkgNDUuNzgyLDE0OC4wMjQgNDguMTIzLDE0Ny42ODggQzUwLjQ2MSwxNDcuMzU0IDUyLjUxLDE0Ni42ODQgNTQuMjY0LDE0NS42ODIgQzU2LjAxOCwxNDQuNjc5IDU3LjQ4LDE0My4zNDQgNTguNjUsMTQxLjY3MSBDNTkuODE4LDE0MC4wMDMgNjAuNDA1LDEzNy44MyA2MC40MDUsMTM1LjE1NSBDNjAuNDA1LDEzMC4zMSA1OC41MjUsMTI2Ljg0NSA1NC43NjUsMTI0Ljc1MyBDNTEuMDA1LDEyMi42NjUgNDUuMzY3LDEyMC44NjggMzcuODQ3LDExOS4zNjUgQzMyLjk5OSwxMTguMzYxIDI4LjMyMywxMTcuMDI3IDIzLjgxMSwxMTUuMzU1IEMxOS4yOTksMTEzLjY4NyAxNS4yOSwxMTEuNDcgMTEuNzgxLDEwOC43MTIgQzguMjcyLDEwNS45NTUgNS40NzEsMTAyLjQ5IDMuMzg1LDk4LjMxIEMxLjI5Myw5NC4xMzcgMC4yNTEsODkuMDM2IDAuMjUxLDgzLjAyMSBDMC4yNTEsNzcuMDA2IDEuNTg2LDcxLjc0MyA0LjI2MSw2Ny4yMzEgQzYuOTMzLDYyLjcyIDEwLjQ4NSw1OC44NzggMTQuOTE0LDU1LjcwMyBDMTkuMzM5LDUyLjUzIDI0LjQ3Nyw1MC4xNDkgMzAuMzI5LDQ4LjU1OSBDMzYuMTc1LDQ2Ljk3MyA0Mi4yNzMsNDYuMTc4IDQ4LjYyNCw0Ni4xNzggQzU1LjMwNiw0Ni4xNzggNjEuMjgzLDQ2LjY3OSA2Ni41NDYsNDcuNjgyIEM3MS44MSw0OC42ODQgNzYuMzYsNTAuMDIzIDgwLjIwNiw1MS42OTIgQzg3LjU1Niw1NC42OTkgOTEuMzk4LDU4LjYyOCA5MS43MzQsNjMuNDcyIiBpZD0iRmlsbC0yMCIgZmlsbD0iIzBBMEEwOCIgc2tldGNoOnR5cGU9Ik1TU2hhcGVHcm91cCIgbWFzaz0idXJsKCNtYXNrLTIpIj48L3BhdGg+CiAgICAgICAgICAgIDwvZz4KICAgICAgICAgICAgPHBhdGggZD0iTTE3MS4zNzYsMTEwLjA5MSBMMTY3Ljg2NiwxMTAuMDkxIEMxNjYuNjk1LDExMC4wOTEgMTY1LjUyNCwxMTAuMTc3IDE2NC4zNTcsMTEwLjM0MiBDMTYwLjE3OSwxMTAuNjc4IDE1Ni4wNDQsMTExLjIxOCAxNTEuOTUsMTExLjk3MSBDMTQ3Ljg1NCwxMTIuNzIzIDE0NC4yMiwxMTMuODk0IDE0MS4wNDksMTE1LjQ3OSBDMTM3Ljg3MSwxMTcuMDcgMTM1LjI4MywxMTkuMjAxIDEzMy4yNzgsMTIxLjg3MSBDMTMxLjI3NCwxMjQuNTQ1IDEzMC4yNywxMjcuOTczIDEzMC4yNywxMzIuMTQ3IEMxMzAuMjcsMTM2LjgyNyAxMzEuNjA2LDE0MC43OTUgMTM0LjI4MSwxNDQuMDUyIEMxMzYuOTUyLDE0Ny4zMTEgMTQxLjQ2NCwxNDguOTQgMTQ3LjgxNSwxNDguOTQgQzE1MC45ODcsMTQ4Ljk0IDE1My45OTUsMTQ4LjUyNSAxNTYuODM5LDE0Ny42ODggQzE1OS42NzgsMTQ2Ljg1MyAxNjIuMTg0LDE0NS43NjggMTY0LjM1NywxNDQuNDI5IEMxNjYuNTI4LDE0My4wOTMgMTY4LjI0MywxNDEuNjMzIDE2OS40OTYsMTQwLjA0MiBDMTcwLjc0OSwxMzguNDU3IDE3MS4zNzYsMTM2Ljk5NSAxNzEuMzc2LDEzNS42NTYgTDE3MS4zNzYsMTEwLjA5MSBMMTcxLjM3NiwxMTAuMDkxIFogTTIwMy40NTcsMTM5LjE2NiBDMjAzLjQ1NywxNTIuMTk4IDIwNS4zNzcsMTYxLjgxIDIwOS4yMjMsMTY3Ljk4OSBDMjA2LjIxNSwxNjkuMTU2IDIwMy40MTQsMTY5Ljk5NCAyMDAuODI1LDE3MC40OTUgQzE5OC4yMzQsMTcwLjk5NyAxOTUuNTE5LDE3MS4yNDggMTkyLjY4LDE3MS4yNDggQzE4Ni42NjUsMTcxLjI0OCAxODIuMTEsMTcwLjA3NyAxNzkuMDIsMTY3LjczOSBDMTc1LjkyNiwxNjUuNDAxIDE3My45NjQsMTYyLjA2IDE3My4xMywxNTcuNzEzIEMxNjkuNDUzLDE2MS41NTkgMTY0LjYwOCwxNjQuODE2IDE1OC41OTMsMTY3LjQ4OCBDMTUyLjU3OCwxNzAuMTU4IDE0NS4yMjIsMTcxLjQ5OSAxMzYuNTM3LDE3MS40OTkgQzEzMi4wMjUsMTcxLjQ5OSAxMjcuNTE0LDE3MC44NzEgMTIzLjAwMiwxNjkuNjE5IEMxMTguNDkxLDE2OC4zNjYgMTE0LjM5NCwxNjYuMzIxIDExMC43MiwxNjMuNDc4IEMxMDcuMDQzLDE2MC42MzggMTA0LjAzNSwxNTYuODM1IDEwMS42OTcsMTUyLjA3MyBDOTkuMzU2LDE0Ny4zMTEgOTguMTg5LDE0MS41MDcgOTguMTg5LDEzNC42NTQgQzk4LjE4OSwxMjYuMTMyIDEwMC4yMzMsMTE5LjIwMSAxMDQuMzI5LDExMy44NTEgQzEwOC40MjIsMTA4LjUwNSAxMTMuNTU5LDEwNC4yODcgMTE5Ljc0MywxMDEuMTkzIEMxMjUuOTIzLDk4LjEwMyAxMzIuNjA4LDk1Ljk3MiAxMzkuNzk0LDk0LjgwMiBDMTQ2Ljk3OCw5My42MzQgMTUzLjU4LDkyLjg4MiAxNTkuNTk1LDkyLjU0NiBDMTYxLjYwMSw5Mi4zODEgMTYzLjU2Miw5Mi4yOTUgMTY1LjQ4NSw5Mi4yOTUgTDE3MC44NzUsOTIuMjk1IEwxNzAuODc1LDg3Ljc4NCBDMTcwLjg3NSw4MS40MzUgMTY5LjE1OSw3Ni45MjMgMTY1LjczNiw3NC4yNDkgQzE2Mi4zMSw3MS41NzkgMTU2Ljc1Myw3MC4yNCAxNDkuMDY4LDcwLjI0IEMxNDEuODgyLDcwLjI0IDEzNS40OSw3MS40MSAxMjkuODk1LDczLjc0OCBDMTI0LjI5NCw3Ni4wOSAxMTguODIzLDc4Ljc2IDExMy40NzgsODEuNzY5IEMxMTEuMTM1LDc4LjkyOSAxMDkuMjU1LDc1Ljc5NyAxMDcuODM4LDcyLjM2OSBDMTA2LjQxNiw2OC45NDcgMTA1LjcwNyw2Ni4zOTcgMTA1LjcwNyw2NC43MjQgQzEwNS43MDcsNjIuNTU1IDEwNyw2MC4zMzkgMTA5LjU5Myw1OC4wODQgQzExMi4xODIsNTUuODI3IDExNS43MzMsNTMuODIzIDEyMC4yNDQsNTIuMDY3IEMxMjQuNzU2LDUwLjMxMyAxMjkuOTMzLDQ4Ljg5NiAxMzUuNzg0LDQ3LjgwNiBDMTQxLjYzMSw0Ni43MjIgMTQ3LjgxNSw0Ni4xNzggMTU0LjMzMiw0Ni4xNzggQzE2My4zNTUsNDYuMTc4IDE3MC45OTksNDcuMDk3IDE3Ny4yNjYsNDguOTM0IEMxODMuNTMyLDUwLjc3NiAxODguNjI2LDUzLjYxNSAxOTIuNTU1LDU3LjQ1NyBDMTk2LjQ3OCw2MS4zMDIgMTk5LjI3OSw2Ni4xMDMgMjAwLjk1MSw3MS44NjggQzIwMi42MTksNzcuNjM0IDIwMy40NTcsODQuMzYyIDIwMy40NTcsOTIuMDQ1IEwyMDMuNDU3LDEzOS4xNjYgTDIwMy40NTcsMTM5LjE2NiBaIiBpZD0iRmlsbC0yMiIgZmlsbD0iIzBBMEEwOCIgc2tldGNoOnR5cGU9Ik1TU2hhcGVHcm91cCI+PC9wYXRoPgogICAgICAgICAgICA8cGF0aCBkPSJNNDU1LjQxNCwxOC42OTkgQzQ1NS40MTQsMjQuMDQ4IDQ1My42MTcsMjguMzkyIDQ1MC4wMjYsMzEuNzMzIEM0NDYuNDMxLDM1LjA3OCA0NDIuMTMxLDM2Ljc0NiA0MzcuMTE4LDM2Ljc0NiBDNDMxLjkzNywzNi43NDYgNDI3LjU5NCwzNS4wNzggNDI0LjA4NSwzMS43MzMgQzQyMC41NzUsMjguMzkyIDQxOC44MjEsMjQuMDQ4IDQxOC44MjEsMTguNjk5IEM0MTguODIxLDEzLjM1MyA0MjAuNTc1LDguOTY3IDQyNC4wODUsNS41NDEgQzQyNy41OTQsMi4xMTcgNDMxLjkzNywwLjQwMiA0MzcuMTE4LDAuNDAyIEM0NDIuMTMxLDAuNDAyIDQ0Ni40MzEsMi4xMTcgNDUwLjAyNiw1LjU0MSBDNDUzLjYxNyw4Ljk2NyA0NTUuNDE0LDEzLjM1MyA0NTUuNDE0LDE4LjY5OSIgaWQ9IkZpbGwtMjMiIGZpbGw9IiMwQTBBMDgiIHNrZXRjaDp0eXBlPSJNU1NoYXBlR3JvdXAiPjwvcGF0aD4KICAgICAgICAgICAgPHBhdGggZD0iTTQ1NS4xNjQsMTY5Ljc0MyBDNDU0LjQ5NSwxNzAuMDc3IDQ1Mi45OSwxNzAuMzI3IDQ1MC42NTIsMTcwLjQ5NSBDNDQ4LjMxMSwxNzAuNjU5IDQ0NS44MDQsMTcwLjc0NyA0NDMuMTMzLDE3MC43NDcgQzQzNi42MTcsMTcwLjc0NyA0MzEuMzEsMTY5LjM2OCA0MjcuMjE3LDE2Ni42MSBDNDIzLjEyMSwxNjMuODU0IDQyMS4wNzYsMTU4LjMgNDIxLjA3NiwxNDkuOTQzIEw0MjEuMDc2LDQ5LjY4NiBDNDIxLjQxLDQ5LjUyMiA0MjIuNzQ2LDQ5LjMxMSA0MjUuMDg3LDQ5LjA2IEM0MjcuNDI1LDQ4LjgxIDQyOS45MzIsNDguNjg0IDQzMi42MDcsNDguNjg0IEM0MzUuMjc3LDQ4LjY4NCA0MzcuOTUyLDQ4LjkzNCA0NDAuNjI2LDQ5LjQzNiBDNDQzLjI5OCw0OS45MzcgNDQ1LjcyMiw1MC45IDQ0Ny44OTYsNTIuMzE4IEM0NTAuMDY1LDUzLjc0IDQ1MS44Miw1NS43NDYgNDUzLjE1OSw1OC4zMzQgQzQ1NC40OTUsNjAuOTI2IDQ1NS4xNjQsNjQuMzA5IDQ1NS4xNjQsNjguNDg0IEw0NTUuMTY0LDE2OS43NDMiIGlkPSJGaWxsLTI0IiBmaWxsPSIjMEEwQTA4IiBza2V0Y2g6dHlwZT0iTVNTaGFwZUdyb3VwIj48L3BhdGg+CiAgICAgICAgICAgIDxwYXRoIGQ9Ik0yOTcuMDYsNDguOTg3IEMzMDUuNjQ3LDQ1LjU4OSAzMTcuMTY2LDQ2LjY0NSAzMjUuNTQ4LDUwLjQzOCBDMzI4LjEzNyw1MS42MDkgMzMwLjMxLDUzLjE5NSAzMzIuMDY0LDU1LjIgQzMzMy44MTgsNTcuMjA2IDMzNS4yMzUsNTkuNjczIDMzNi4zMjUsNjIuNTk0IEMzMzcuNDA5LDY1LjUyMSAzMzguNDU2LDY4LjczNSAzMzkuNDU4LDcyLjI0NCBMMzU3LjUwNSwxMzYuOTA5IEwzNzYuNTUzLDcxLjQ5MyBDMzc4LjU1OCw2NC4zMDkgMzgxLjA2NSw1OC43MDkgMzg0LjA3Miw1NC42OTkgQzM4Ny4wOCw1MC42OSAzOTIuMDkzLDQ4LjY4NCAzOTkuMTEsNDguNjg0IEM0MDIuNDUsNDguNjg0IDQwNS42MjgsNDkuMDIgNDA4LjYzNCw0OS42ODYgQzQxMS42NDMsNTAuMzU2IDQxNC4xNDgsNTEuMTA4IDQxNi4xNTQsNTEuOTQzIEwzNzUuMjk5LDE2OS40OTMgTDMzOC45NTcsMTY5LjQ5MyBDMzM2Ljc5NiwxNjMuMjk1IDMzNC42MzUsMTU3LjA5OCAzMzIuNDc0LDE1MC45MDEgQzMyNy43MTMsMTM3LjI0OCAzMjIuOTUyLDEyMy41OTYgMzE4LjE5MiwxMDkuOTQzIEMzMTMuNDA2LDk2LjIxOSAzMDguNjIsODIuNDk1IDMwMy44MzUsNjguNzcxIiBpZD0iRmlsbC0yNSIgZmlsbD0iIzBBMEEwOCIgc2tldGNoOnR5cGU9Ik1TU2hhcGVHcm91cCI+PC9wYXRoPgogICAgICAgIDwvZz4KICAgIDwvZz4KPC9zdmc+)\n", | |
| " no-repeat\n", | |
| " left center;\n", | |
| " background-size: contain;\n", | |
| "} \n", | |
| "\n", | |
| "</style>" | |
| ], | |
| "text/plain": [ | |
| "<IPython.core.display.HTML object>" | |
| ] | |
| }, | |
| "metadata": {}, | |
| "output_type": "display_data" | |
| } | |
| ], | |
| "source": [ | |
| "import pandas as pd\n", | |
| "import time\n", | |
| "import io\n", | |
| "import httplib2\n", | |
| "from IPython.display import display, HTML \n", | |
| "import splunklib.results as results\n", | |
| "import splunklib.client\n", | |
| "import json\n", | |
| "import IPython.display\n", | |
| "from IPython.core.magic import (register_line_magic, \n", | |
| " register_cell_magic)\n", | |
| "import qgrid2 as qgrid\n", | |
| "\n", | |
| "\n", | |
| "plt.style.use('ggplot')\n", | |
| "with open('custom_html.html', 'r') as f:\n", | |
| " custom_html = f.read()\n", | |
| "display(HTML(custom_html))" | |
| ] | |
| }, | |
| { | |
| "cell_type": "code", | |
| "execution_count": null, | |
| "metadata": { | |
| "collapsed": false | |
| }, | |
| "outputs": [], | |
| "source": [ | |
| "from splunk_nb import *\n", | |
| "if sys.version_info[0] < 3:\n", | |
| " from StringIO import StringIO\n", | |
| "else:\n", | |
| " from io import StringIO" | |
| ] | |
| }, | |
| { | |
| "cell_type": "code", | |
| "execution_count": null, | |
| "metadata": { | |
| "collapsed": false | |
| }, | |
| "outputs": [], | |
| "source": [ | |
| "with open('splunk-auth-yong', 'r') as f:\n", | |
| " #TODO SR: encrypt splunk auth? \n", | |
| " splunk_auth = json.loads(f.read())" | |
| ] | |
| }, | |
| { | |
| "cell_type": "code", | |
| "execution_count": null, | |
| "metadata": { | |
| "collapsed": false | |
| }, | |
| "outputs": [], | |
| "source": [ | |
| "service = splunklib.client.connect(autologin=True, **splunk_auth) #app=\"apm_snpm\"," | |
| ] | |
| }, | |
| { | |
| "cell_type": "code", | |
| "execution_count": null, | |
| "metadata": { | |
| "collapsed": false | |
| }, | |
| "outputs": [], | |
| "source": [ | |
| "def replace_splunk_time(df):\n", | |
| " '''Converts `nb_epoch` into `_time` as datetime64\n", | |
| " `nb_epoch=_time` must be supplied by the query\n", | |
| "\n", | |
| " '''\n", | |
| " if ('nb_epoch' not in df.columns):\n", | |
| " return\n", | |
| " \n", | |
| " df['_time'] = pd.to_numeric(df['nb_epoch'], errors='coerce').astype('datetime64[s]')\n", | |
| " df.drop('nb_epoch', 1, inplace=True)\n", | |
| "\n", | |
| "class SplunkQuery:\n", | |
| " job = None\n", | |
| " search_string = None\n", | |
| " def __init__(self, search_string):\n", | |
| " if not search_string.startswith('search '):\n", | |
| " search_string = 'search ' + search_string + ' | eval nb_epoch=_time | fields - _time'\n", | |
| " self.search_string = search_string\n", | |
| " \n", | |
| " def _dispatch_query(self):\n", | |
| " self.job = service.jobs.create(self.search_string, **{\"exec_mode\": \"normal\", \n", | |
| " \"earliest_time\": '-10y', \n", | |
| " \"latest_time\": '-0min',\n", | |
| " \"output_mode\": \"csv\",\n", | |
| " \"preview\": True,\n", | |
| " \"maxEvents\": 0})\n", | |
| " \n", | |
| " def _await(self):\n", | |
| " while True:\n", | |
| " self.job.refresh()\n", | |
| " if self.job[\"isDone\"] == \"1\":\n", | |
| " break\n", | |
| " time.sleep(1)\n", | |
| " \n", | |
| " def _report_progress(self):\n", | |
| " #publish progress (stdout, NB)\n", | |
| " pass\n", | |
| " \n", | |
| " def _await_with_progress(self):\n", | |
| " print \"waiting\"\n", | |
| " while True:\n", | |
| " self.job.refresh()\n", | |
| " if self.job[\"isDone\"] == \"1\":\n", | |
| " break\n", | |
| " time.sleep(1)\n", | |
| " print \"done\"\n", | |
| " \n", | |
| " def _df_postprocess(self, df):\n", | |
| " replace_splunk_time(df)\n", | |
| " return df\n", | |
| " \n", | |
| " def _get_results_legacy(self):\n", | |
| " \"\"\"Fetches one page of results using the offically recommended\n", | |
| " approach. This method is SLOW.\n", | |
| " \n", | |
| " Args:\n", | |
| " offset: start offset\n", | |
| " count: number of results to return\n", | |
| " \"\"\"\n", | |
| " job = self.job\n", | |
| " resultCount = job[\"resultCount\"] # Number of results this job returned\n", | |
| " offset = 0; # Start at result 0\n", | |
| " count = 100; # Get sets of 10 results at a time\n", | |
| " items = []\n", | |
| " \n", | |
| " while (offset < int(resultCount)):\n", | |
| " kwargs_paginate = {\"count\": count,\n", | |
| " \"offset\": offset}\n", | |
| " # Get the search results and display them\n", | |
| " blocksearch_results = job.preview(output_mode=\"csv\", **kwargs_paginate)\n", | |
| "\n", | |
| " for result in results.ResultsReader(blocksearch_results):\n", | |
| " items.append(result)\n", | |
| " offset += count\n", | |
| " df = pd.DataFrame(items)\n", | |
| " df = self._df_postprocess(df)\n", | |
| " return df\n", | |
| " \n", | |
| " def get_preview(self):\n", | |
| " self.job.refresh()\n", | |
| " buf = StringIO()\n", | |
| " job = self.job\n", | |
| " self.buf=buf\n", | |
| " \n", | |
| " if (self.job['dispatchState']=='PARSING'):\n", | |
| " return None #haven't received a resultPreviewCount yet TODO: backport to other cases\n", | |
| " resultCount = int(self.job['resultPreviewCount'])\n", | |
| " if (resultCount==0):\n", | |
| " return None #no preview yet\n", | |
| " \n", | |
| " offset = 0\n", | |
| " page_count = 1000\n", | |
| " \n", | |
| " while (offset < resultCount):\n", | |
| " kwargs_paginate = {\"count\": page_count,\n", | |
| " \"offset\": offset}\n", | |
| " \n", | |
| " searchresults = job.preview(output_mode=\"csv\", **kwargs_paginate).read() \n", | |
| " \n", | |
| " #suppress the CSV header on pages other than the first\n", | |
| " if (offset == 0):\n", | |
| " buf.write(searchresults)\n", | |
| " else:\n", | |
| " buf.write(searchresults[searchresults.find('\\n'):])\n", | |
| " offset+=page_count\n", | |
| " \n", | |
| " buf.seek(0)\n", | |
| " \n", | |
| " df = pd.read_csv(buf)\n", | |
| " df = self._df_postprocess(df)\n", | |
| " return df\n", | |
| " \n", | |
| " def display_messages(self):\n", | |
| " classes = {'info': 'nb_info', 'fatal': 'nb_error', 'error': 'nb_error'}\n", | |
| " html = ''\n", | |
| " for k, v in self.job.messages.iteritems():\n", | |
| " line = '<div class=\"nb_message {classname}\">{message}</div>'.format(classname=classes[k], message=v[0])\n", | |
| " html = html + line\n", | |
| " display(HTML(html))\n", | |
| " \n", | |
| " def _get_results_page_fast(self, offset, count):\n", | |
| " \"\"\"Fetches one page of results\n", | |
| " \n", | |
| " Args:\n", | |
| " offset: start offset\n", | |
| " count: number of results to return\n", | |
| " \"\"\"\n", | |
| " #TODO: uses `service` which is in global scope. Refactor\n", | |
| " buf = StringIO()\n", | |
| " self.buf=buf\n", | |
| " sid = self.job['sid']\n", | |
| " myhttp = httplib2.Http(disable_ssl_certificate_validation=True)\n", | |
| " myhttp.add_credentials(service.username, service.password)\n", | |
| " url = '/services/search/jobs/{0}/results?output_mode=csv&&offset={1}&count={2}'.format(sid, offset, count)\n", | |
| " baseurl = str(service.authority)\n", | |
| " searchresults = myhttp.request(baseurl + url, 'GET')[1] \n", | |
| " buf.write(searchresults)\n", | |
| " \n", | |
| " buf.seek(0)\n", | |
| " df = pd.read_csv(buf)\n", | |
| " df = self._df_postprocess(df)\n", | |
| " return df\n", | |
| " \n", | |
| " def _get_results_fast_full(self, page_count=50000):\n", | |
| " \"\"\"Fetches entire result set quickly\n", | |
| " \n", | |
| " Args:\n", | |
| " offset: start offset\n", | |
| " page_count: maximum number of results per page (default splunk limit is 50k)\n", | |
| " \n", | |
| " Notes:\n", | |
| " Not sure which Splunk setting dictates maximum number of\n", | |
| " results returned (page count). Ideally should identify it\n", | |
| " and dynamically read via SDK\n", | |
| " \"\"\"\n", | |
| " #TODO: uses `service` which is in global scope. Refactor\n", | |
| " buf = StringIO()\n", | |
| " self.buf=buf\n", | |
| " sid = self.job['sid']\n", | |
| " resultCount = int(self.job['resultCount'])\n", | |
| " \n", | |
| " myhttp = httplib2.Http(disable_ssl_certificate_validation=True)\n", | |
| " myhttp.add_credentials(service.username, service.password)\n", | |
| " \n", | |
| " offset = 0\n", | |
| " \n", | |
| " while (offset < resultCount):\n", | |
| " url = '/services/search/jobs/{0}/results?output_mode=csv&&offset={1}&count={2}'.format(\n", | |
| " sid, offset, page_count)\n", | |
| " \n", | |
| " baseurl = str(service.authority)\n", | |
| " searchresults = myhttp.request(baseurl + url, 'GET')[1] \n", | |
| " \n", | |
| " #suppress the CSV header on pages other than the first\n", | |
| " if (offset == 0):\n", | |
| " buf.write(searchresults)\n", | |
| " else:\n", | |
| " buf.write(searchresults[searchresults.find('\\n'):])\n", | |
| " offset+=page_count\n", | |
| " \n", | |
| " buf.seek(0)\n", | |
| " df = pd.read_csv(buf)\n", | |
| " df = self._df_postprocess(df)\n", | |
| " return df\n", | |
| " \n", | |
| " \n", | |
| " \n", | |
| " def execute(self, **kwargs):\n", | |
| " \"\"\"Executes the query\n", | |
| " \n", | |
| " Args:\n", | |
| " TODO: add args\n", | |
| " \"\"\"\n", | |
| " self._dispatch_query()\n", | |
| " #self._await_with_progress()\n", | |
| " return\n", | |
| " " | |
| ] | |
| }, | |
| { | |
| "cell_type": "code", | |
| "execution_count": null, | |
| "metadata": { | |
| "collapsed": true | |
| }, | |
| "outputs": [], | |
| "source": [ | |
| "def run_blocking(query):\n", | |
| " global last_job\n", | |
| " x = SplunkQuery(query)\n", | |
| " last_job = x\n", | |
| " x.execute()\n", | |
| " x._await()\n", | |
| " return x._get_results_fast_full()" | |
| ] | |
| }, | |
| { | |
| "cell_type": "code", | |
| "execution_count": null, | |
| "metadata": { | |
| "collapsed": true | |
| }, | |
| "outputs": [], | |
| "source": [ | |
| "def preview_kernel(df):\n", | |
| " chart=df.set_index('_time')['count'].astype('float')\n", | |
| " plt.gca().cla() \n", | |
| " chart.plot()\n", | |
| " IPython.display.clear_output(wait=True)\n", | |
| " IPython.display.display(plt.gcf()) " | |
| ] | |
| }, | |
| { | |
| "cell_type": "code", | |
| "execution_count": null, | |
| "metadata": { | |
| "collapsed": true | |
| }, | |
| "outputs": [], | |
| "source": [ | |
| "def run_preview(query):\n", | |
| " global last_job\n", | |
| " x = SplunkQuery(query)\n", | |
| " last_job = x\n", | |
| " x.execute()\n", | |
| " while(x.job.is_done() == False):\n", | |
| " \n", | |
| " d = x.get_preview()\n", | |
| " if (d is None):\n", | |
| " IPython.display.clear_output(wait=True)\n", | |
| " print \"waiting\"\n", | |
| " sys.stdout.flush()\n", | |
| " continue\n", | |
| " \n", | |
| " preview_kernel(d)\n", | |
| " \n", | |
| " time.sleep(1.0)\n", | |
| " \n", | |
| " IPython.display.clear_output(wait=True)\n", | |
| " x.display_messages()\n", | |
| " print \"Done!\"\n", | |
| " return x" | |
| ] | |
| }, | |
| { | |
| "cell_type": "code", | |
| "execution_count": null, | |
| "metadata": { | |
| "collapsed": false | |
| }, | |
| "outputs": [], | |
| "source": [ | |
| "def run_preview(query):\n", | |
| " global last_job\n", | |
| " x = SplunkQuery(query)\n", | |
| " last_job = x\n", | |
| " first_results = True\n", | |
| " x.execute()\n", | |
| " while(x.job.is_done() == False):\n", | |
| " \n", | |
| " d = x.get_preview()\n", | |
| " if (d is None):\n", | |
| " IPython.display.clear_output(wait=True)\n", | |
| " print x.job['dispatchState']\n", | |
| " sys.stdout.flush()\n", | |
| " time.sleep(1.0)\n", | |
| " continue\n", | |
| " else:\n", | |
| " if (first_results):\n", | |
| " grid = qgrid.QGridWidget(df=d)\n", | |
| " display(grid)\n", | |
| " first_results = False\n", | |
| " \n", | |
| " grid.df = d\n", | |
| " \n", | |
| " #preview_kernel(d)\n", | |
| " \n", | |
| " time.sleep(1.0)\n", | |
| " \n", | |
| " IPython.display.clear_output(wait=False)\n", | |
| " x.display_messages()\n", | |
| " print \"Done!\"\n", | |
| " return x\n" | |
| ] | |
| }, | |
| { | |
| "cell_type": "code", | |
| "execution_count": null, | |
| "metadata": { | |
| "collapsed": false | |
| }, | |
| "outputs": [], | |
| "source": [ | |
| "@register_cell_magic\n", | |
| "def splunk(line, cell):\n", | |
| " query = cell\n", | |
| " if('preview=True' in line):\n", | |
| " run_preview(query)\n", | |
| " else:\n", | |
| " return run_blocking(query)\n", | |
| " \n", | |
| " " | |
| ] | |
| }, | |
| { | |
| "cell_type": "code", | |
| "execution_count": null, | |
| "metadata": { | |
| "collapsed": false | |
| }, | |
| "outputs": [], | |
| "source": [ | |
| "x = run_preview('source=\"megadump_60.tgz:*\" earliest=\"11/30/2015:20:00:00\" | timechart span=4h avg(max_latency) as count')" | |
| ] | |
| }, | |
| { | |
| "cell_type": "markdown", | |
| "metadata": {}, | |
| "source": [ | |
| "<br/>\n", | |
| "<br/>\n", | |
| "<br/>\n", | |
| "<br/>\n", | |
| "<br/>\n", | |
| "<br/>\n", | |
| "<br/>\n", | |
| "<br/>\n", | |
| "<br/>\n", | |
| "<br/>\n", | |
| "<br/>\n", | |
| "<br/>\n", | |
| "<br/>\n", | |
| "<br/>\n", | |
| "<br/>\n", | |
| "<br/>\n", | |
| "<br/>\n", | |
| "<br/>\n", | |
| "<br/>\n", | |
| "<br/>" | |
| ] | |
| }, | |
| { | |
| "cell_type": "code", | |
| "execution_count": null, | |
| "metadata": { | |
| "collapsed": false | |
| }, | |
| "outputs": [], | |
| "source": [ | |
| "%%splunk preview=True\n", | |
| "source=\"megadump_60.tgz:*\" earliest=\"12/04/2015:20:00:00\" | timechart span=4h avg(max_latency) as count" | |
| ] | |
| }, | |
| { | |
| "cell_type": "code", | |
| "execution_count": null, | |
| "metadata": { | |
| "collapsed": false | |
| }, | |
| "outputs": [], | |
| "source": [ | |
| "df=last_job._get_results_fast_full()\n", | |
| "df.set_index('_time')['count'].plot()" | |
| ] | |
| }, | |
| { | |
| "cell_type": "code", | |
| "execution_count": null, | |
| "metadata": { | |
| "collapsed": true | |
| }, | |
| "outputs": [], | |
| "source": [] | |
| } | |
| ], | |
| "metadata": { | |
| "kernelspec": { | |
| "display_name": "Python 2", | |
| "language": "python", | |
| "name": "python2" | |
| }, | |
| "language_info": { | |
| "codemirror_mode": { | |
| "name": "ipython", | |
| "version": 2 | |
| }, | |
| "file_extension": ".py", | |
| "mimetype": "text/x-python", | |
| "name": "python", | |
| "nbconvert_exporter": "python", | |
| "pygments_lexer": "ipython2", | |
| "version": "2.7.11" | |
| } | |
| }, | |
| "nbformat": 4, | |
| "nbformat_minor": 0 | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment