Entity
Class representing an index on the Splunk server.
Beyond what its superclass Entity provides, Index also exposes methods to write data to an index and delete all data from an index.
Opens a socket to write events to this index.
Write events to the returned stream Socket, and Splunk will index the data. You can optionally pass a hash of host, source, and sourcetype arguments to be sent with every event.
Splunk may not index submitted events until the socket is closed or at least 1MB of data has been submitted.
You are responsible for closing the socket.
Note that SSLSocket and TCPSocket have incompatible APIs.
Returns: an SSLSocket or TCPSocket.
Example:
service = Splunk::connect(:username => 'admin', :password => 'foo') stream = service.indexes['main'].attach(:sourcetype => 'mysourcetype') (1..5).each { stream.write("This is a cheezy event\r\n") } stream.close()
# File lib/splunk-sdk-ruby/entity/index.rb, line 53 def attach(args={}) args[:index] = @name path = (@service.namespace.to_path_fragment() + ["receivers","stream"]). map {|fragment| URI::encode(fragment)}. join("/") query = URI.encode_www_form(args) cn = @service.connect headers = "POST /#{path}?#{query} HTTP/1.1\r\n" + "Host: #{@service.host}:#{@service.port}\r\n" + "Accept-Encoding: identity\r\n" + "Authorization: Splunk #{@service.token}\r\n" + "X-Splunk-Input-Mode: Streaming\r\n" + "\r\n" cn.write(headers) cn end
DEPRECATED: Delete the index instead.
Deletes all events in this index.
The clean method will wait until the operation completes, or timeout seconds have passed. By default, timeout is 100 seconds.
Cleaning an index is done by setting maxTotalDataSizeMG and frozenTimePeriodInSecs to +"1"+.
Returns: the Index.
# File lib/splunk-sdk-ruby/entity/index.rb, line 85 def clean(timeout=100) warn "[DEPRECATION] Index#clean is deprecated. Delete the index instead." refresh() original_state = read(['maxTotalDataSizeMB', 'frozenTimePeriodInSecs']) was_disabled_initially = fetch("disabled") == "1" needed_restart_initially = @service.server_requires_restart? if (!was_disabled_initially && @service.splunk_version[0] < 5) disable() end update(:maxTotalDataSizeMB => 1, :frozenTimePeriodInSecs => 1) roll_hot_buckets() Timeout::timeout(timeout) do while true refresh() if fetch("totalEventCount") == "0" break else sleep(1) end end end # Restores the original state if !was_disabled_initially enable() if !needed_restart_initially and @service.server_requires_restart? service.request(:method => :DELETE, :resource => ["messages", "restart_required"]) end end update(original_state) end
DEPRECATED.
Tells Splunk to roll the hot buckets in this index now.
A Splunk index is a collection of buckets containing events. A bucket begins life "hot", where events may be written into it. At some point, when it grows to a certain size, or when roll_hot_buckets is called, it is rolled to "warm" and a new hot bucket created. Warm buckets are fully accessible, but not longer receiving new events. Eventually warm buckets are archived to become cold buckets.
Returns: the Index.
# File lib/splunk-sdk-ruby/entity/index.rb, line 134 def roll_hot_buckets() warn "[DEPRECATION] Index#roll_hot_buckets is deprecated." @service.request(:method => :POST, :resource => @resource + [@name, "roll-hot-buckets"]) return self end
Writes a single event to this index.
event is the text of the event. You can optionally pass a hash with the optional keys :host, :source, and :sourcetype.
Returns: the Index.
Example:
service = Splunk::connect(:username => 'admin', :password => 'foo') service.indexes['main'].submit("this is an event", :host => "baz", :sourcetype => "foo")
# File lib/splunk-sdk-ruby/entity/index.rb, line 155 def submit(event, args={}) args[:index] = @name @service.request(:method => :POST, :resource => ["receivers", "simple"], :query => args, :body => event) return self end
Uploads a file accessible by the Splunk server.
filename should be the full path to the file on the server where Splunk is running. Besides filename, upload also takes a hash of optional arguments, all of which take +String+s:
:host - The host for the events.
:host_regex - A regex to be used to extract a 'host' field from the path. If the path matches this regular expression, the captured value is used to populate the 'host' field or events from this data input. The regular expression must have one capture group.
:host_segment - Use the specified slash-seperated segment of the path as the host field value.
:rename-source - The value of the 'source' field to be applied to the data from this file.
:sourcetype - The value of the 'sourcetype' field to be applied to data from this file.
# File lib/splunk-sdk-ruby/entity/index.rb, line 183 def upload(filename, args={}) args['index'] = @name args['name'] = filename @service.request(:method => :POST, :resource => ["data", "inputs", "oneshot"], :body => args) end
Generated with the Darkfish Rdoc Generator 2.