Splunk SPL操作

head、tail、top、rare

• head：返回前 n 个结果
• tail：返回后 n 个结果
• top, 显示字段最常见/出现次数最多的值
• rare, 显示字段出现次数最少的值

sort:

• 基于某个字段排序（升序、降序）
• sort - clientip, +status, 先基于 clientip 降序，再基于status升序
• index=tutorialdata sourcetype=“access_combined_wcookie”| table
_time,clientip,status | sort -status,+clientip

stats（statistic）:

• 对满足条件的事件进行统计
• stats count()
• stats dc()
• stats values()
• stats list()
• stats avg()
• index=tutorialdata sourcetype=“access_combined_wcookie” status=200
action=purchase | stats count
• index=tutorialdata sourcetype=“access_combined_wcookie” status=200
action=purchase | stats count(clientip)
• index=tutorialdata sourcetype=“access_combined_wcookie” status=200
action=purchase | stats dc(clientip)

chart

• 以表格的形式返回结果数据
• index=tutorialdata sourcetype=“access_combined_wcookie” status=200
action=purchase | chart count by host | rename host as 服务器 count as "成功购
买数“
• index=tutorialdata sourcetype=“access_combined_wcookie” status=200
action=purchase | chart count by host | chart avg(count) as "每台服务器平均数“
• index=tutorialdata sourcetype=“access_combined_wcookie” status=200
action=purchase | chart count by host | chart max(count) as "最大购买量“
• 表格
• 图表

timechart

• 使用相应的统计信息表创建时间系列图表。
• index=tutorialdata sourcetype=“access_combined_wcookie”
status=200 action=purchase | timechart count by host
间隔时间2h：
• index=tutorialdata sourcetype=“access_combined_wcookie”
status=200 action=purchase | timechart span=2h count by host
• 线形图
• 面积图

子搜索(subsearch)

• 子搜索包含在方括号[]中
• 查找购物次数最多的用户IP
index=tutorialdata sourcetype=“access_combined_wcookie” status=200 action=purchase |
top limit=1 clientip
• 查看该客户购买的产品数量、产品种类以及哪些产品
index=tutorialdata sourcetype=“access_combined_wcookie” status=200 action=purchase
clientip=“87.194.216.51”| stats count,dc(productId),values(productId) by clientip
• 通过子查询将两个查询语句合并为一个
index=tutorialdata sourcetype=“access_combined_wcookie” status=200 action=purchase
[search index=tutorialdata sourcetype=“access_combined_wcookie” status=200
action=purchase | top limit=1 clientip
| table clientip] | stats count,dc(productId),values(productId) by clientip

保存为仪表板并打印PDF

• index=tutorialdata sourcetype=“access_combined_wcookie”
status=200 action=purchase [search index=tutorialdata
sourcetype=“access_combined_wcookie” status=200
action=purchase | top limit=1 clientip | table clientip] | stats
count,dc(productId) as “totalproducts”,values(productId) as
“productlist” by clientip | rename clientip as “VIP客户”,count as “产
品总数”,totalproducts as “产品种类”,productlist as “产品列表”