thinkerbot/dashboard.xml

## dashboard.xml
<?xml version="1.0"?>
<form>
  <label>The Battle Overview</label>
  <searchTemplate><![CDATA[
    index=thebattle | rex field=uri "/battle/(?<thing>[^?]+)(\?color=(?<color>\w+))?" | eval color=if(isnull(color), "", color) | eval strategy=color.thing | stats count by date_hour, bytes, clientip, strategy
    ]]>
  </searchTemplate>
  <fieldset>
    <input type="time">
      <label/>
      <default>All time</default>
    </input>
  </fieldset>
  <row>
    <chart>
      <title>What it is.</title>
      <searchPostProcess><![CDATA[chart sum(count) by strategy]]></searchPostProcess>
      <option name="charting.chart">pie</option>
      <option name="height">200px</option>
    </chart>
  </row>
  <row>
    <chart>
      <title>How it happened.</title>
      <searchPostProcess><![CDATA[chart sum(count) over date_hour by strategy]]></searchPostProcess>
      <option name="charting.chart">line</option>
      <option name="height">200px</option>
    </chart>
  </row>
  <row>
    <table>
      <title>Stats</title>
      <searchPostProcess><![CDATA[stats avg(bytes) by clientip]]></searchPostProcess>
      <option name="showPager">true</option>
      <option name="count">20</option>
    </table>
  </row>
</form>

## inputs.conf
[default]
host = m13725.pinnacol.com

[monitor:///abs/path/to/rails/log]
index=main
sourcetype=rails

[fschange:/abs/path/to/dir]
index=main
sourcetype=projectdata
recurse=true
pollPeriod=60
fullEvent=true

## props.conf
[source::.../bundle.txt]
sourcetype = bundle

[source::.../rcov.txt]
sourcetype = rcov

[source::.../rdoc.txt]
sourcetype = rdoc

## splunk.txt
# search time field extraction
sourcetype=rails | rex field=_raw "Processing(\s)(?<controller>\S+)#(?<action>\S+)(\s\(for\s(?<client>[\d.]*).*\)\s\[(?<method>\S+)\])?" | top action

# multiple extractions, concatenation, basic stats
sourcetype=rails
| rex field=_raw "Processing(\s)(?<controller>\S+)#(?<action>\S+)(\s\(for\s(?<client>[\d.]*).*\)\s\[(?<method>\S+)\])?"
| rex field=_raw "Completed.*in\s(?<request_time>[\d.]*)(ms)?(\s\((?<req_per_sec>\d*)\sreqs/sec)?"
| rex field=_raw "((ActiveRecord:)|(DB:))\s(?<db_time>[\d.]*)"
| rex field=_raw "((Views:)|(View:)|(Rendering:))\s(?<render_time>[\d.]*)"
| fields request_time render_time db_time controller action
| eval controller_action=controller."#".action
| stats avg(request_time),avg(render_time),avg(db_time) by controller_action

# use of sed rex to reformat into a table, then multikv to split into multiple events
sourcetype=bundle
| rex mode=sed "s/Gems.*/GEM VERSION/"
| rex mode=sed "s/  \* ([[:alnum:]_-]{1,}) \(([[:alnum:]. ]{1,})\)/\1 \2/g"
| multikv

  # versions of each gem
  | chart values(VERSION) by GEM

  # list of projects using each gem version
  | rex field=source "/(?<project>[\w_-]+)/\w+/bundle.txt"
  | eval gem_name=GEM."-".VERSION
  | chart values(project) by gem_name

  # number of distinct gems
  | eval gem_name=GEM."-".VERSION
  | stats distinct_count(gem_name)

  # number of distinct versions per gem
  | eval gem_name=GEM."-".VERSION
  | chart count(gem_name) by GEM

  # number of gems per project
  | rex field=source "/(?<project>[\w_-]+)/\w+/bundle.txt"
  | chart dc(GEM) by project


## summary_index.txt
search: index=thebattle | sistats avg(bytes) by clientip
start: @h
stop: +1h@h
run: hourly
fields:
  report: avg_bytes_by_client

sudo ./splunk cmd python fill_summary_index.py -app search -name "Summary Avg Bytes by Client" -et 1320991200 -lt 1321081200 -dedup true -owner admin -auth admin:PASSWORD

index=summary report=avg_bytes_by_client | stats avg(bytes) by clientip
	<?xml version="1.0"?>
	<form>
	<label>The Battle Overview</label>
	<searchTemplate><![CDATA[
	index=thebattle \| rex field=uri "/battle/(?<thing>[^?]+)(\?color=(?<color>\w+))?" \| eval color=if(isnull(color), "", color) \| eval strategy=color.thing \| stats count by date_hour, bytes, clientip, strategy
	]]>
	</searchTemplate>
	<fieldset>
	<input type="time">
	<label/>
	<default>All time</default>
	</input>
	</fieldset>
	<row>
	<chart>
	<title>What it is.</title>
	<searchPostProcess><![CDATA[chart sum(count) by strategy]]></searchPostProcess>
	<option name="charting.chart">pie</option>
	<option name="height">200px</option>
	</chart>
	</row>
	<row>
	<chart>
	<title>How it happened.</title>
	<searchPostProcess><![CDATA[chart sum(count) over date_hour by strategy]]></searchPostProcess>
	<option name="charting.chart">line</option>
	<option name="height">200px</option>
	</chart>
	</row>
	<row>
	<table>
	<title>Stats</title>
	<searchPostProcess><![CDATA[stats avg(bytes) by clientip]]></searchPostProcess>
	<option name="showPager">true</option>
	<option name="count">20</option>
	</table>
	</row>
	</form>
	[default]
	host = m13725.pinnacol.com

	[monitor:///abs/path/to/rails/log]
	index=main
	sourcetype=rails

	[fschange:/abs/path/to/dir]
	index=main
	sourcetype=projectdata
	recurse=true
	pollPeriod=60
	fullEvent=true
	[source::.../bundle.txt]
	sourcetype = bundle

	[source::.../rcov.txt]
	sourcetype = rcov

	[source::.../rdoc.txt]
	sourcetype = rdoc
	# search time field extraction
	sourcetype=rails \| rex field=_raw "Processing(\s)(?<controller>\S+)#(?<action>\S+)(\s\(for\s(?<client>[\d.]).\)\s\[(?<method>\S+)\])?" \| top action

	# multiple extractions, concatenation, basic stats
	sourcetype=rails
	\| rex field=_raw "Processing(\s)(?<controller>\S+)#(?<action>\S+)(\s\(for\s(?<client>[\d.]).\)\s\[(?<method>\S+)\])?"
	\| rex field=_raw "Completed.in\s(?<request_time>[\d.])(ms)?(\s\((?<req_per_sec>\d*)\sreqs/sec)?"
	\| rex field=_raw "((ActiveRecord:)\|(DB:))\s(?<db_time>[\d.]*)"
	\| rex field=_raw "((Views:)\|(View:)\|(Rendering:))\s(?<render_time>[\d.]*)"
	\| fields request_time render_time db_time controller action
	\| eval controller_action=controller."#".action
	\| stats avg(request_time),avg(render_time),avg(db_time) by controller_action

	# use of sed rex to reformat into a table, then multikv to split into multiple events
	sourcetype=bundle
	\| rex mode=sed "s/Gems.*/GEM VERSION/"
	\| rex mode=sed "s/ \* ([[:alnum:]_-]{1,}) \(([[:alnum:]. ]{1,})\)/\1 \2/g"
	\| multikv

	# versions of each gem
	\| chart values(VERSION) by GEM

	# list of projects using each gem version
	\| rex field=source "/(?<project>[\w_-]+)/\w+/bundle.txt"
	\| eval gem_name=GEM."-".VERSION
	\| chart values(project) by gem_name

	# number of distinct gems
	\| eval gem_name=GEM."-".VERSION
	\| stats distinct_count(gem_name)

	# number of distinct versions per gem
	\| eval gem_name=GEM."-".VERSION
	\| chart count(gem_name) by GEM

	# number of gems per project
	\| rex field=source "/(?<project>[\w_-]+)/\w+/bundle.txt"
	\| chart dc(GEM) by project
	search: index=thebattle \| sistats avg(bytes) by clientip
	start: @h
	stop: +1h@h
	run: hourly
	fields:
	report: avg_bytes_by_client

	sudo ./splunk cmd python fill_summary_index.py -app search -name "Summary Avg Bytes by Client" -et 1320991200 -lt 1321081200 -dedup true -owner admin -auth admin:PASSWORD

	index=summary report=avg_bytes_by_client \| stats avg(bytes) by clientip