一)安装配置
环境:
CentOS 6.2
开始安装:
首先关闭selinux:
#vi /etc/sysconfig/selinux SELINUX=disabled setenforce 0
将之前官网下载好的压缩包进行解压,并安装。
#tar -zxvf splunk-6.0.1-189883-Linux-x86_64.tgz #cd .. #mv splunk /usr/local #cd /usr/local/splunk/bin #./splunk enable boot-start
第一次安装会提示:
This appears to be your first time running this version of Splunk. Copying '/usr/local/splunk/etc/openldap/ldap.conf.default' to '/usr/local/splunk/etc/openldap/ldap.conf' Moving '/usr/local/splunk/share/splunk/search_mrsparkle/modules.new' to '/usr/local/splunk/share/splunk/search_mrsparkle/modules'. Init script installed at /etc/init.d/splunk. Init script is not configured to run at boot.
根据提示进行copy操作,然后进行安装:
#/etc/init.d/splunk start
Starting Splunk...
Splunk> Take the sh out of IT.
Checking prerequisites...
Checking http port [8000]: open
Checking mgmt port [8089]: open
Checking configuration... Done.
Creating: /usr/local/splunk/var/lib/splunk
Creating: /usr/local/splunk/var/run/splunk
Creating: /usr/local/splunk/var/run/splunk/appserver/i18n
Creating: /usr/local/splunk/var/run/splunk/appserver/modules/static/css
Creating: /usr/local/splunk/var/run/splunk/upload
Creating: /usr/local/splunk/var/spool/splunk
Creating: /usr/local/splunk/var/spool/dirmoncache
Creating: /usr/local/splunk/var/lib/splunk/authDb
Creating: /usr/local/splunk/var/lib/splunk/hashDb
Checking critical directories... Done
Checking indexes...
Validated: _audit _blocksignature _internal _thefishbucket history main summary
Done
New certs have been generated in '/usr/local/splunk/etc/auth'.
Checking filesystem compatibility... Done
Checking conf files for typos... Done
All preliminary checks passed.
Starting splunk server daemon (splunkd)...
Done
[确定]
Starting splunkweb... Generating certs for splunkweb server
Generating a 1024 bit RSA private key
.............++++++
.....................................................++++++
writing new private key to 'privKeySecure.pem'
-----
Signature ok
subject=/CN=localhost.localdomain/O=SplunkUser
Getting CA Private Key
writing RSA key
[确定]
Done
If you get stuck, we're here to help.
Look for answers here: http://docs.splunk.com
The Splunk web interface is at http://127.0.0.1:8000打开浏览器,进行访问,同时确保防火墙和访问端口:
#service iptables stop
二)常用语法
全文搜索
搜索框直接输入”搜索词“
purchase
查找匹配词”purchase“
字段搜索
字段名=”搜索词“
source="Sampledata.zip:./apache3.splunk.com/access_combined.log"
查找数据来源为"Sampledata.zip:./apache3.splunk.com/access_combined.log"
通配符搜索
source="Sameledata.zip:.apache*"
查找数据来源为apache开头的所有来源
逻辑组合搜索
source="Sampledata.zip:./apache3.splunk.com/access_combined.log" purchase NOT 200
查找数据来源为"Sampledata.zip:./apache3.splunk.com/access_combined.log" 并且字符串匹配词 "purchase" 并且字符串中不匹配200
嵌套搜索
查找错误码
error OR failed OR (souretype = access*(404 OR 500 OR 503))
当然你可以加上status字段
(sourcetype=access*(status=404 OR status=500 OR status=503)) host="apache3.splunk.com"
使用管理命令
source="Sampledata.zip:./apache*" | top 10 product_id
获取最多访问的10个产品id
source="Sampledata.zip:./apache*" | top limit=1 clientip
获取消费最多的客户端ip
source="Sampledata.zip:./apache*" action=purchase clientip=233.77.49.50|stats count, values(product_id) by clientip
获取指定客户端IP购买的产品,并汇总数量
source="Sampledata.zip:./apache*" category_id = flowers| statsdc(clientip)
统计有多少用户购买了鲜花类的产品
source="Sampledata.zip:./apache*" category_id=flowers| stats count BY clientip
每个独立用户购买鲜花的数量
source="Sampledata.zip:./apache*" category_id=flowers| stats count AS "购买鲜花数量" BY clientip |rename clientip AS 客户
我们可以对结果进行重命名
子搜索
子搜索部分使用[]起来,中括号的部分会先被执行,然后再执行外面搜索部分。
子搜索命令需用search开头
子搜索的速度稍微慢一些
source="Sampledata.zip:./apache*" action=purchase [search sourcetype=access_* action=purchase|top limit=1 clientip|table clientip] | stats count, values(product_id) as product_id by clientip |rename count AS "购买数量",product_id AS "购买产品内容" clientip AS "vip用户"
附:官网文档实验中用到的2个数据文本样例压缩包、及spl_splunk语法对比表。
注:由于博客文件上传容量限制,splunk安装压缩包无法上传,需要的朋友请官网自行下载。