一)安裝配置
環境:
CentOS 6.2
開始安裝:
首先關閉selinux:
#vi /etc/sysconfig/selinux SELINUX=disabled setenforce 0
將之前官網下載好的壓縮包進行解壓,並安裝。
#tar -zxvf splunk-6.0.1-189883-Linux-x86_64.tgz #cd .. #mv splunk /usr/local #cd /usr/local/splunk/bin #./splunk enable boot-start
第一次安裝會提示:
This appears to be your first time running this version of Splunk. Copying '/usr/local/splunk/etc/openldap/ldap.conf.default' to '/usr/local/splunk/etc/openldap/ldap.conf' Moving '/usr/local/splunk/share/splunk/search_mrsparkle/modules.new' to '/usr/local/splunk/share/splunk/search_mrsparkle/modules'. Init script installed at /etc/init.d/splunk. Init script is not configured to run at boot.
根據提示進行copy操作,然後進行安裝:
#/etc/init.d/splunk start
Starting Splunk...
Splunk> Take the sh out of IT.
Checking prerequisites...
Checking http port [8000]: open
Checking mgmt port [8089]: open
Checking configuration... Done.
Creating: /usr/local/splunk/var/lib/splunk
Creating: /usr/local/splunk/var/run/splunk
Creating: /usr/local/splunk/var/run/splunk/appserver/i18n
Creating: /usr/local/splunk/var/run/splunk/appserver/modules/static/css
Creating: /usr/local/splunk/var/run/splunk/upload
Creating: /usr/local/splunk/var/spool/splunk
Creating: /usr/local/splunk/var/spool/dirmoncache
Creating: /usr/local/splunk/var/lib/splunk/authDb
Creating: /usr/local/splunk/var/lib/splunk/hashDb
Checking critical directories... Done
Checking indexes...
Validated: _audit _blocksignature _internal _thefishbucket history main summary
Done
New certs have been generated in '/usr/local/splunk/etc/auth'.
Checking filesystem compatibility... Done
Checking conf files for typos... Done
All preliminary checks passed.
Starting splunk server daemon (splunkd)...
Done
[確定]
Starting splunkweb... Generating certs for splunkweb server
Generating a 1024 bit RSA private key
.............++++++
.....................................................++++++
writing new private key to 'privKeySecure.pem'
-----
Signature ok
subject=/CN=localhost.localdomain/O=SplunkUser
Getting CA Private Key
writing RSA key
[確定]
Done
If you get stuck, we're here to help.
Look for answers here: http://docs.splunk.com
The Splunk web interface is at http://127.0.0.1:8000打開瀏覽器,進行訪問,同時確保防火牆和訪問端口:
#service iptables stop
二)常用語法
全文搜索
搜索框直接輸入”搜索詞“
purchase
查找匹配詞”purchase“
字段搜索
字段名=”搜索詞“
source="Sampledata.zip:./apache3.splunk.com/access_combined.log"
查找數據來源爲"Sampledata.zip:./apache3.splunk.com/access_combined.log"
通配符搜索
source="Sameledata.zip:.apache*"
查找數據來源爲apache開頭的所有來源
邏輯組合搜索
source="Sampledata.zip:./apache3.splunk.com/access_combined.log" purchase NOT 200
查找數據來源爲"Sampledata.zip:./apache3.splunk.com/access_combined.log" 並且字符串匹配詞 "purchase" 並且字符串中不匹配200
嵌套搜索
查找錯誤碼
error OR failed OR (souretype = access*(404 OR 500 OR 503))
當然你可以加上status字段
(sourcetype=access*(status=404 OR status=500 OR status=503)) host="apache3.splunk.com"
使用管理命令
source="Sampledata.zip:./apache*" | top 10 product_id
獲取最多訪問的10個產品id
source="Sampledata.zip:./apache*" | top limit=1 clientip
獲取消費最多的客戶端ip
source="Sampledata.zip:./apache*" action=purchase clientip=233.77.49.50|stats count, values(product_id) by clientip
獲取指定客戶端IP購買的產品,並彙總數量
source="Sampledata.zip:./apache*" category_id = flowers| statsdc(clientip)
統計有多少用戶購買了鮮花類的產品
source="Sampledata.zip:./apache*" category_id=flowers| stats count BY clientip
每個獨立用戶購買鮮花的數量
source="Sampledata.zip:./apache*" category_id=flowers| stats count AS "購買鮮花數量" BY clientip |rename clientip AS 客戶
我們可以對結果進行重命名
子搜索
子搜索部分使用[]起來,中括號的部分會先被執行,然後再執行外面搜索部分。
子搜索命令需用search開頭
子搜索的速度稍微慢一些
source="Sampledata.zip:./apache*" action=purchase [search sourcetype=access_* action=purchase|top limit=1 clientip|table clientip] | stats count, values(product_id) as product_id by clientip |rename count AS "購買數量",product_id AS "購買產品內容" clientip AS "vip用戶"
附:官網文檔實驗中用到的2個數據文本樣例壓縮包、及spl_splunk語法對比表。
注:由於博客文件上傳容量限制,splunk安裝壓縮包無法上傳,需要的朋友請官網自行下載。