iT邦幫忙

0

Splunk-SPL

  • 分享至 

  • xImage
  •  

index=mft_log sourcetype="mft:xferlog" source="/backup/ftp/mft/splunk_monitor/log_parse/xferlog.znasvmfts0*" account=e2e_monitor | sort starttime| table account, ip, type, filename, filesize, starttime, endtime, time, action, transferspeed, result
//---

fail* => fail, failure, failed, ...

Booleans => NOT, OR, AND
failed NOT password => 有failed, 沒有password
failed OR password => 有failed, 或password
failed AND password = failed password => 有failed和password
failed NOT (success OR accepted) => 有failed, 且沒有success OR accepted

filed => a表示string, #表示numerical
selected fields => 資料都有存在的欄位
interesting fields => 多數資料可能存在的欄位 (至少20%)

filed in Search
sourcetype=linux_secure => search the data which sourcetype is linux_secure
sourcetype!=linux_secure => search the data which sourcetype isn't linux_secure
=, != => numerial or string

, >=, <, <= => numerial

Search example
sourcetype=linux_secure action=failure NOT host=mail* = sourcetype=linux_secure action=failure host!=mail*
(index=web OR index=security) status!=200 != (index=web OR index=security) NOT status=200
WHY?
index=web (status=500 OR status=503 OR status=505) = index=web status IN ("500","503","505")

Search by time
sourcetype=access_combined earliest=-2h latest=-1h

Search Syntax
Search Terms, Commands(blue), Functions(purple), Arguments, Clauses(orange)
----- ------------
sourcetype=acc* status=200 | stats list(product_name) as "Games Sold" | top "Games"


                       |<----------------------------------------->| Pipes

Boolean operator and command modifier(orange)
Commands arguments(green) => time

ctrl + \ => Enter
Preferences can setting Editor

Field Command
| fields status clientip => only show two field
| fields - status clientip => remove this two field

Table Command
| table fieldname1, filedname2, fieldname3 => show table

Rename Command
| rename fieldname1 as "newfieldname1" fieldname2 as "newfieldname2" ...
rename will rename the field name, so output use need new field name
=> | rename fieldname1 as "newfieldname1" | field "newfieldname1" => it work

Dedup Command
|dedup Username => username field value do distinct work
|dedup field1 field2 => find distinct value by two fields

Sort Command
| sort field => small 2 big
| sort - field => big 2 small
| sort field1 field2 => sort field1 and then field2
Using limit argument
| sort field limit=20 => search 20 data

ch9
Transforming Commands => Order search results into a data table for statistical purposes.
Top Command
| top Vendor => top 10 by Vendor field
| top Vendor limit=20 => change to top 20 by Vendor field
Top Command Clauses
limit=int
countfield=string => change fieldname
percentfield=string => change fieldname
showcount=True/False => open or close count
showperc=True/False => open or close percent
showother=True/False
useother=True/False => open or close other
otherstr=string
Using the "by" Clause
| top fieldname by Vendor limit=3 => top fieldname limit 3 by Vendor

Rare Command => top reverse

Stats Command
count => total
distunct count => distinct total
sum
average
min
max
list => list values of field
values => unique values of a field
| stats count => total
| stats count as newfieldname => newfieldname and count
| stats count as newfieldname by filedname2, filedname3 => filedname2, filedname3 and newfieldname value is count
| stats count(field) as fieldEvent, count as "TotalEvent" => fieldEvents, totalEvent value all count
| stats distunct(field) as "newfield" by field2 = |stats dc(field) as ...
| stats sum(field) as "newfield" by field2
| stats avg(field) as "newfield"
| stats min(field) as "newfield"
| stats max(field) as "newfield"
| stats list(field) as "newfield" by field2
| stats values(field) by field2

Ch10 Reports and Dashboards
Share or save search in the future => Report
Click Save as, and choose report

每次搜尋完都可以按virtualization產生圖表,並且可以存成Report,圖表可以透過Line Chart, Format等等變換

Then click Save As, and choose Dashboard Panel
Dashboard有New跟Existing選項可以選, 可以選Existing後,再往下選之前的Dashboard
在View畫面中案Edit可以拖拉自行排Dashboard, 也可以將Report加入Dashboard
此外還能透過AddInput讓Dashbord變成GUI,在新增完圖表後,要按EditSearch選inlineSearch

Ch11
Pivot(樞紐) and Datasets
Data Models (admin, power) => knowledge objects that provide the data struture that drives Pivot.Datasets like virtual table

Web upper settings, and select Data models => 透過樞紐後產生的結果在變成report or insert to dashboard

Data models are made up of Datasets

Ch12 Lookups
類似vlookup的概念
a lookup is categorized as a Dataset.
two step to use, 1. Define a lookup table 2. define lookup.
Optionally configure your lookup to run automatically.(可以自動化配置)
Lookup field values are case-sensitive by default.(默認情況下,查找字段值區分大小寫)

Create lookup table: Web upper Settings select Lookups, click lookup table files add new.
Define lookup: Web upper Settings select Lookups, click define lookup add new.

The lookup command
index=web sourcetype=access_combined NOT status=200 | lookup http_status code(對照http_status表的code欄位) as status(根據這個key)
結果會有http_status的description欄位

index=web sourcetype=access_combined NOT status=200 | lookup http_status code as status, OUTPUT code as "HTTP Code", description as "HTTP Description" => 結果就會將每筆資料的code顯示,並使用HTTP Code欄位命名,description則以HTTP Description命名

Create automatic lookups
Web upper Settings select Lookups, click Automatic lookups add new.

Ch13 Schedule Report and Alert
intro:根據時間產生report 並且 mail 通知

Create schedule report: search後按Save as選Report,最下面的 Time Range Picker 選No,下一頁選Schedule,勾起Schedule Report check box,即可開始選Schedule相關參數.
Running concurrent reports, and the searches behind them, can put a big demand on your system hardware, even if everythong is configured to the recommended specs.(運行並發報告及其背後的搜索,可能會對系統硬件提出很大的要求,即使將所有人都配置為建議的規格。)
Includ a Schedule Window only if the report doesn't have to start at a specific time...and you're ok with the delay.(僅在報表不必在特定時間開始時才包括“計劃窗口” ...並且您可以接受延遲。)
最後可以選Action決定Schedule report完成後該怎麼告知

Manage Schedule Report
Web upper Settings select "Searches, reports and alerts"即可到管理葉面,可以Edit或利馬Run。 或是Web upper left App, select "App: Search & Report", select Reports, 再選自己的Report, 再由右上角去Edit之類的。
Embedding Report可以share URL給其他人看到
An Embedded Report will not show data until the scheduled search is run
也可將Report加入dashboard

Alerts
Notify you when the results of a search meet defined conditions.(搜索結果符合定義條件時通知您)
Triggered when search is completed.
Action 非常多

Create Alert
先Search選Save as選Alerts,並開始選擇
Alert type:
Schedule: allows you to set a schedule and time range for the search to be run.(允許您設置運行搜索的時間表和時間範圍)
realtime: will run the search continuously in the background. As soon as alert conditions are satisfied an action is triggered.(將在後台連續運行搜索,一旦滿足警報條件,便會觸發操作)
run continuously and can place more overhead on system performance
Alert trigger後可以再選Action

View, Edit & Manage Alerts:
Web upper right "Activity", select "Triggered Alerts"


圖片
  直播研討會
圖片
{{ item.channelVendor }} {{ item.webinarstarted }} |
{{ formatDate(item.duration) }}
直播中

尚未有邦友留言

立即登入留言