### 1、Splunk HF 转发syslog到第三方主机
**outputs.conf**
```
[syslog]
defaultGroup=syslogGroup
[syslog:syslogGroup]
type = udp
server = 10.203.19.22:514
```
**props.conf**
```
[sourcetype::cosmo_syslog]
TRANSFORMS-nyc = splunk_to_syslog
[sourcetype::cosmo_cisco:asa]
TRANSFORMS-nyc = splunk_to_syslog
[sourcetype::cosmo_cisco_asa_anquan]
TRANSFORMS-nyc = splunk_to_syslog
transforms.conf
[splunk_to_syslog]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = syslogGroup
```
### 2、splunkforwarder修改8089端口(管理端口)
#### 2.1、修改web.conf配置文件
**查看/opt/splunkforwarder/etc/system/local/web.conf文件是否存在**
```
[root@linux_mysql local]# ll /opt/splunkforwarder/etc/system/local/
web.conf
-rw-r--r--. 1 root root 52101 Jul 4 00:07 /opt/splunkforwarder/etc/system/local/web.conf
[root@linux_mysql local]#
```
**如果web.conf文件不存在将../default/下面的web.conf 复制到local目录下**
```
cd /opt/splunkforwarder/etc/system/local/
cp ../default/web.conf .
```
#### 2.2、修改web.conf配置文件
**找到mgmtHostPort配置项并修改**
```
# Version 7.2.5
# DO NOT EDIT THIS FILE!
# Changes to default files will be lost on update and are difficult to
# manage and support.
#
# Please make any changes to system defaults by overriding them in
# apps or $SPLUNK_HOME/etc/system/local
# (See "Configuration file precedence" in the web documentation).
#
# To override a specific setting, copy the name of the stanza and
# setting to the file where you wish to override it.
#
# This file contains possible attributes and values you can use to configure Splunk's web interface.
#
[default]
[settings]
# enable/disable the appserver
startwebserver = 1
# port number tag is missing or 0 the server will NOT start an http listener
# this is the port used for both SSL and non-SSL (we only have 1 port now).
httpport = 8000
# this determines whether to start SplunkWeb in http or https.
enableSplunkWebSSL = false
# location of splunkd; don't include http[s]:// in this anymore.
#mgmtHostPort = 127.0.0.1:8089--此项配置
mgmtHostPort = 127.0.0.1:8099
# list of ports to start python application servers on (although usually
# one port is enough) Set to 0 to instead run the application server
# directly as the web front end on 'httpport', separate from splunkd.
appServerPorts = 8065
# default timeout, in seconds, when communicating with splunkd
splunkdConnectionTimeout = 30
# enable/disable custom netloc when using http client
enableSplunkWebClientNetloc = False
# SSL certificate files.
privKeyPath = $SPLUNK_HOME/etc/auth/splunkweb/privkey.pem
serverCert = $SPLUNK_HOME/etc/auth/splunkweb/cert.pem
```
#### 2.3、重启splunkforwarder服务
> /opt/splunkforwarder/bin/splunk start
#### 2.4、查看端口是否修改成功
```
ps -ef|grep splunk
[root@linux_mysql local]# ps -ef|grep splunk
root 7698 1 0 00:10 ? 00:00:01 splunkd --under-systemd --systemd-delegate=yes -p 8099 _internal_launch_under_systemd
root 7723 7698 0 00:10 ? 00:00:00 [splunkd pid=7698] splunkd --under-systemd --systemd-delegate=yes -p 8099 _internal_launch_under_systemd [process-runner]
root 7949 5126 0 00:28 pts/0 00:00:00 grep --color=auto splunk
[root@linux_mysql local]#
```
### 3、使用splunk sourcetype过滤prometheus指标项
> 问题:将普罗米修斯数据接入到splunk系统中发现数据量非常庞大(有1560个指标项),真正使用到的指标项不到100个,需要过滤掉不需要的指标
#### 3.1、需要设置的服务器角色
在HF和indexer上设置
#### 3.2、配置文件
props.conf
```
[prometheus_filter]
TIME_FORMAT = %s%3N
TIME_PREFIX = }\s[\d\-\.]+\s
TRANSFORMS-set = setnull,conform
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
pulldown_type = 1
category = Metrics
EXTRACT-metric_name,num1,num2 = ^(?P[^\{]+)[^\}\n]*\}\s+(?P[^ ]+)\s+(?P.+)
EXTRACT-metric_name,num1,num2:提取metric_name,num1,num2字段 TIME_FORMAT,TIME_PREFIX:时间格式 TRANSFORMS-set:过滤条件
```
transforms.conf
```
[conform]
REGEX = container_cpu_load_average_10s|container_cpu_usage_seconds_total|container_fs_limit_bytes|container_fs_usage_bytes|container_memory_cache|container_memory_usage_bytes|container_memory_working_set_bytes|container_network_receive_bytes_total|container_network_transmit_bytes_total|container_spec_memory_limit_bytes|jvm_gc_collection_seconds_count|jvm_gc_collection_seconds_sum|jvm_memory_bytes_used|jvm_memory_pool_bytes_max|jvm_memory_pool_bytes_used|jvm_threads_current|jvm_threads_deadlocked|jvm_threads_peak|kube_pod_container_status_ready|kube_pod_container_status_running|kube_pod_container_status_terminated|kube_pod_container_status_waiting|machine_cpu_cores|machine_memory_bytes|mysql_global_status_aborted_clients|mysql_global_status_commands_total|mysql_global_status_innodb_data_fsyncs|mysql_global_status_innodb_data_reads|mysql_global_status_innodb_data_writes|mysql_global_status_select_full_join|mysql_global_status_select_scan|mysql_global_status_slow_queries|mysql_global_status_sort_scan|mysql_global_status_threads_connected|mysql_global_status_threads_created|nginx_connections_accepted|nginx_connections_active|nginx_connections_handled|nginx_http_requests_total|node_network_info|rabbitmq_channelsTotal|rabbitmq_connectionsTotal|rabbitmq_consumersTotal|rabbitmq_exchangesTotal|rabbitmq_fd_total|rabbitmq_fd_used|rabbitmq_queue_messages_ready_total|rabbitmq_queue_messages_total|rabbitmq_queue_messages_unacknowledged_total|rabbitmq_queuesTotal|rabbitmq_sockets_total|rabbitmq_sockets_used|rabbitmq_up|redis_blocked_clients|redis_commands_processed_total|redis_connected_clients|redis_evicted_keys_total|redis_expired_keys_total|redis_keyspace_hits_total|redis_keyspace_misses_total|redis_memory_used_bytes|zk_max_latency|zk_num_alive_connections|zk_open_file_descriptor_count|zk_outstanding_requests|zk_up|zk_watch_count|zk_znode_count
DEST_KEY = queue
FORMAT = indexQueue
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
```
### 4、nix add-on CPU.sh 问题
**问题:nix ad-on下发到Linux 系统上没有采集到cpu性能数据
需要在linux系统上安装以下命令**
```
yum install sysstat
yum install sar
yum insatll mpstat
```
### 5、forwarder被克隆,导致主机名一致
#### 5.1、解决方式一:
```
删除 $SPLUNK$/etc/instance.cfg (里面记录了guid,也就是客户端名称)
删除server.conf里面的实例名称记录,inputs.conf里面的主机名称记录
重启forwarder
```
#### 5.2、解决方式二:
```
forwarder重新安装
例如: 安装目录为/tpdata
/tpdata/splunkforwarder/bin/splunk stop
rm -rf /tpdata/splunkforwarder
tar zxvf /tpdata/splunkforwarder-6*.tgz -C /tpdata
/tpdata/splunkforwarder/bin/splunk start --answer-yes --no-prompt --accept-license
/tpdata/splunkforwarder/bin/splunk set deploy-poll 10.21.8.228:8089 -auth admin:changeme
/tpdata/splunkforwarder/bin/splunk restart
```
### 6、修改每个CPU的最大并发搜索次数
```
limits.conf
[search] max_searches_per_cpu
# 每个CPU的最大并发搜索次数
```
### 7、关于Splunk 重启日志也会存放在index里面
```
index="_internal" source="/opt/splunk/var/log/splunk/splunkd.log" start
```
### 8、查看告警邮箱是否发送
```
INFO:为正常发送,ERROR:为发送失败 >>要检查ERROR报错的问题
index ="_internal" source="/opt/splunk/var/log/splunk/python.log" "mail"
```
### 9、关于字段重命名注意点
**字段重命名**:不能设置多个字段名称重命名为同一个字段名称
**重写字段值**:如果有设置多个字段名称重命名为同一个字段名称,使用勾选此选项字段重命名。
### 10、仪表板设置隐藏图表(并传递传递参数)
```
depends="$range$"
```
### 11、Splunk web刷新配置文件url
```
http://192.168.10.9:8000/zh-CN/debug/refresh
```
### 12、修改index存放路径
**vim /opt/splunk/splunk/etc/splunk-launch.conf --编辑splunk-launch文件**
**cat /opt/splunk/splunk/etc/splunk-launch.conf**
```
# Version 7.2.5
# Modify the following line to suit the location of your Splunk install.
# If unset, Splunk will use the parent of the directory containing the splunk
# CLI executable.
#
# SPLUNK_HOME=/opt/splunk-home
# By default, Splunk stores its indexes under SPLUNK_HOME in the
# var/lib/splunk subdirectory. This can be overridden
# here:
#SPLUNK_DB=/opt/splunk-home/var/lib/splunk
#添加以下内容
SPLUNK_DB=/opt/splunk/splunk/data
# Splunkd daemon name
SPLUNK_SERVER_NAME=Splunkd
# Splunkweb daemon name
SPLUNK_WEB_NAME=splunkweb
# If SPLUNK_OS_USER is set, then Splunk service will only start
# if the 'splunk [re]start [splunkd]' command is invoked by a user who
# is, or can effectively become via setuid(2), $SPLUNK_OS_USER.
# (This setting can be specified as username or as UID.)
# SPLUNK_OS_USER
```
>mkdir data --创建data目录
>splunk stop --停止splunk服务
>mv /opt/splunk/splunk/var/lib/splunk /opt/splunk/splunk/data/
>将/opt/splunk/splunk/var/lib/splunk目录下的文件移动到/opt/splunk/splunk/data/目录下
>splunk start --启动服务
### 13、Splunk License 安装位置
> $SPLUNK_HOME/etc/licenses/enterprise/Splunk.License.lic