本文档详细介绍了在CentOS 6.2环境下SPLUNK的安装步骤,包括关闭selinux、解压安装包、启动服务等。同时,文章还列举了SPLUNK的多种搜索语法,如全文搜索、字段搜索、通配符搜索、逻辑组合搜索、嵌套搜索、管理命令等,帮助读者快速掌握SPLUNK的使用技巧。
一)安装配置
环境:CentOS 6.2
开始安装: 首先关闭selinux:#vi /etc/sysconfig/selinux
SELINUX=disabled
setenforce 0
将之前官网下载好的压缩包进行解压,并安装。#tar -zxvf splunk-6.0.1-189883-Linux-x86_64.tgz
#cd ..
#mv splunk /usr/local
#cd /usr/local/splunk/bin
#./splunk enable boot-start
第一次安装会提示:This appears to be your first time running this version of Splunk.
Copying '/usr/local/splunk/etc/openldap/ldap.conf.default' to '/usr/local/splunk/etc/openldap/ldap.conf'
Moving '/usr/local/splunk/share/splunk/search_mrsparkle/modules.new' to '/usr/local/splunk/share/splunk/search_mrsparkle/modules'.
Init script installed at /etc/init.d/splunk.
Init script is not configured to run at boot.
根据提示进行copy操作,然后进行安装:#/etc/init.d/splunk start
Starting Splunk...
Splunk> Take the sh out of IT.
Checking prerequisites...
Checking http port [8000]: open
Checking mgmt port [8089]: open
Checking configuration... Done.
Creating: /usr/local/splunk/var/lib/splunk
Creating: /usr/local/splunk/var/run/splunk
Creating: /usr/local/splunk/var/run/splunk/appserver/i18n
Creating: /usr/local/splunk/var/run/splunk/appserver/modules/static/css
Creating: /usr/local/splunk/var/run/splunk/upload
Creating: /usr/local/splunk/var/spool/splunk
Creating: /usr/local/splunk/var/spool/dirmoncache
Creating: /usr/local/splunk/var/lib/splunk/authDb
Creating: /usr/local/splunk/var/lib/splunk/hashDb
Checking critical directories... Done
Checking indexes...
Validated: _audit _blocksignature _internal _thefishbucket history main summary
Done
New certs have been generated in '/usr/local/splunk/etc/auth'.
Checking filesystem compatibility... Done
Checking conf files for typos... Done
All preliminary checks passed.
Starting splunk server daemon (splunkd)...
Done
[确定]
Starting splunkweb... Generating certs for splunkweb server
Generating a 1024 bit RSA private key
.............++++++
.....................................................++++++
writing new private key to 'privKeySecure.pem'
-----
Signature ok
subject=/CN=localhost.localdomain/O=SplunkUser
Getting CA Private Key
writing RSA key
[确定]
Done
If you get stuck, we're here to help.
Look for answers here: http://docs.splunk.com
The Splunk web interface is at http://127.0.0.1:8000
打开浏览器,进行访问,同时确保防火墙和访问端口:#service iptables stop
二)常用语法
全文搜索
搜索框直接输入”搜索词“
purchase
查找匹配词”purchase“
字段搜索
字段名=”搜索词“
source="Sampledata.zip:./apache3.splunk.com/access_combined.log"
查找数据来源为"Sampledata.zip:./apache3.splunk.com/access_combined.log"
通配符搜索
source="Sameledata.zip:.apache*"
查找数据来源为apache开头的所有来源
逻辑组合搜索
source="Sampledata.zip:./apache3.splunk.com/access_combined.log" purchase NOT 200
查找数据来源为"Sampledata.zip:./apache3.splunk.com/access_combined.log" 并且字符串匹配词 "purchase" 并且字符串中不匹配200
嵌套搜索
查找错误码
error OR failed OR (souretype = access*(404 OR 500 OR 503))
当然你可以加上status字段
(sourcetype=access*(status=404 OR status=500 OR status=503)) host="apache3.splunk.com"
使用管理命令
source="Sampledata.zip:./apache*" | top 10 product_id
获取最多访问的10个产品id
source="Sampledata.zip:./apache*" | top limit=1 clientip
获取消费最多的客户端ip
source="Sampledata.zip:./apache*" action=purchase clientip=233.77.49.50|stats count, values(product_id) by clientip
获取指定客户端IP购买的产品,并汇总数量
source="Sampledata.zip:./apache*" category_id = flowers| statsdc(clientip)
统计有多少用户购买了鲜花类的产品
source="Sampledata.zip:./apache*" category_id=flowers| stats count BY clientip
每个独立用户购买鲜花的数量
source="Sampledata.zip:./apache*" category_id=flowers| stats count AS "购买鲜花数量" BY clientip |rename clientip AS 客户
我们可以对结果进行重命名
子搜索
子搜索部分使用[]起来,中括号的部分会先被执行,然后再执行外面搜索部分。
子搜索命令需用search开头
子搜索的速度稍微慢一些
source="Sampledata.zip:./apache*" action=purchase [search sourcetype=access_* action=purchase|top limit=1 clientip|table clientip] | stats count, values(product_id) as product_id by clientip |rename count AS "购买数量",product_id AS "购买产品内容" clientip AS "vip用户"
附:官网文档实验中用到的2个数据文本样例压缩包、及spl_splunk语法对比表。
注:由于博客文件上传容量限制,splunk安装压缩包无法上传,需要的朋友请官网自行下载。
扫一扫
592
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
