SPLUNK 安裝配置及經常使用語法

時間 2019-12-29

標籤 splunk 安裝配置經常使用語法简体版

原文原文鏈接

一)安裝配置css

環境:
CentOS 6.2 linux

開始安裝：
首先關閉selinux：web

#vi /etc/sysconfig/selinux
SELINUX=disabled
setenforce 0

將以前官網下載好的壓縮包進行解壓，並安裝。apache

#tar -zxvf splunk-6.0.1-189883-Linux-x86_64.tgz
#cd ..
#mv splunk /usr/local
#cd /usr/local/splunk/bin
#./splunk enable boot-start

第一次安裝會提示：瀏覽器

This appears to be your first time running this version of Splunk.
Copying '/usr/local/splunk/etc/openldap/ldap.conf.default' to '/usr/local/splunk/etc/openldap/ldap.conf'
Moving '/usr/local/splunk/share/splunk/search_mrsparkle/modules.new' to '/usr/local/splunk/share/splunk/search_mrsparkle/modules'.
Init script installed at /etc/init.d/splunk.
Init script is not configured to run at boot.

根據提示進行copy操做，而後進行安裝：app

#/etc/init.d/splunk start
Starting Splunk...
Splunk> Take the sh out of IT.
Checking prerequisites...
Checking http port [8000]: open
Checking mgmt port [8089]: open
Checking configuration... Done.
Creating: /usr/local/splunk/var/lib/splunk
Creating: /usr/local/splunk/var/run/splunk
Creating: /usr/local/splunk/var/run/splunk/appserver/i18n
Creating: /usr/local/splunk/var/run/splunk/appserver/modules/static/css
Creating: /usr/local/splunk/var/run/splunk/upload
Creating: /usr/local/splunk/var/spool/splunk
Creating: /usr/local/splunk/var/spool/dirmoncache
Creating: /usr/local/splunk/var/lib/splunk/authDb
Creating: /usr/local/splunk/var/lib/splunk/hashDb
Checking critical directories... Done
Checking indexes...
Validated: _audit _blocksignature _internal _thefishbucket history main summary
Done
New certs have been generated in '/usr/local/splunk/etc/auth'.
Checking filesystem compatibility... Done
Checking conf files for typos... Done
All preliminary checks passed.
Starting splunk server daemon (splunkd)...
Done
[肯定]
Starting splunkweb... Generating certs for splunkweb server
Generating a 1024 bit RSA private key
.............++++++
.....................................................++++++
writing new private key to 'privKeySecure.pem'
-----
Signature ok
subject=/CN=localhost.localdomain/O=SplunkUser
Getting CA Private Key
writing RSA key
[肯定]
Done
If you get stuck, we're here to help.
Look for answers here: http://docs.splunk.com

The Splunk web interface is at http://127.0.0.1:8000

打開瀏覽器，進行訪問,同時確保防火牆和訪問端口:dom

#service iptables stop

二)經常使用語法ide

全文搜索

搜索框直接輸入」搜索詞「 ui

　 purchasethis

查找匹配詞」purchase「

字段搜索

字段名=」搜索詞「

source="Sampledata.zip:./apache3.splunk.com/access_combined.log"

查找數據來源爲"Sampledata.zip:./apache3.splunk.com/access_combined.log"

通配符搜索

source="Sameledata.zip:.apache*"

查找數據來源爲apache開頭的全部來源

邏輯組合搜索

source="Sampledata.zip:./apache3.splunk.com/access_combined.log" purchase NOT 200

查找數據來源爲"Sampledata.zip:./apache3.splunk.com/access_combined.log" 而且字符串匹配詞 "purchase" 而且字符串中不匹配200

嵌套搜索

查找錯誤碼

　 error OR failed OR (souretype = access*(404 OR 500 OR 503))

固然你能夠加上status字段

(sourcetype=access*(status=404 OR status=500 OR status=503)) host="apache3.splunk.com"

使用管理命令

source="Sampledata.zip:./apache*" | top 10 product_id

獲取最多訪問的10個產品id　

source="Sampledata.zip:./apache*" | top limit=1 clientip

獲取消費最多的客戶端ip

source="Sampledata.zip:./apache*" action=purchase clientip=233.77.49.50|stats count, values(product_id) by clientip

獲取指定客戶端IP購買的產品,並彙總數量

source="Sampledata.zip:./apache*" category_id = flowers| statsdc(clientip)

統計有多少用戶購買了鮮花類的產品

　 source="Sampledata.zip:./apache*" category_id=flowers| stats count BY clientip

每一個獨立用戶購買鮮花的數量

source="Sampledata.zip:./apache*" category_id=flowers| stats count AS "購買鮮花數量" BY clientip |rename clientip AS 客戶

　咱們能夠對結果進行重命名

子搜索

子搜索部分使用[]起來，中括號的部分會先被執行，而後再執行外面搜索部分。

子搜索命令需用search開頭

子搜索的速度稍微慢一些

source="Sampledata.zip:./apache*" action=purchase [search sourcetype=access_* action=purchase|top limit=1 clientip|table clientip] | stats count, values(product_id) as product_id by clientip |rename count AS "購買數量",product_id AS "購買產品內容" clientip AS "vip用戶"

附：官網文檔實驗中用到的2個數據文本樣例壓縮包、及spl_splunk語法對比表。

注：因爲博客文件上傳容量限制，splunk安裝壓縮包沒法上傳，須要的朋友請官網自行下載。