Splunk 教學 - Splunk · PDF file簡介 歡迎使用 Splunk 教學！ Splunk 是什麼？ Splunk 是一個可從構成您 IT 基礎結構的應用套件、伺服器或網路裝置中檢索

Splunk 5.0.2

Splunk

3/13/2013 8:05 am

Copyright (c) 2013 Splunk Inc. All Rights Reserved

5

5555

556666

6

667

77778

8889

10

1010101010

11111113

13

Table of Contents

Splunk Splunk Splunk

Splunk

Splunk

Splunk Splunk Linux Windows Mac OS X

Splunk Splunk Web Windows Splunk Unix Mac OS X Splunk Splunk Web

Splunk

Splunk Splunk Splunk

Splunk Splunk

13

1314141515

1617181919

19191921

21212323

2323232628

2828293131

3131323333

33333435

35353637

1 2

38393940

40404041424344

44

44

4444444748495050

5050505455

5555565757

57

57

1 - 2 - 3 - 4 -

1 2

PDF PDF

Splunk

Splunk

Splunk

Splunk IT IT IT

Splunk

Splunk -- -- Splunk

Splunk IT Splunk Splunk () Splunk Splunk IT

Splunk Splunk

PDF

PDF Splunk PDF PDF

Splunk Splunk IT Splunk -- Splunk

Splunk

IT IT Splunk IT

Splunk IT

5

Windows SNMP

Splunk -- --

... Splunk IT Splunk TB Splunk

Splunk Splunk

IT -- Splunk SNMP

Splunk

Splunk Splunk

Splunk Splunk -- 5

Splunk [ Splunk]

Splunk Splunk Windows Mac OS X Splunk Splunk

Splunk Splunk Splunk FirefoxChrome Safari Internet Explorer 678 9

Splunk Windows Mac

Windows 1x1.4 GHz CPU1 GB RAM

Windows Pentium 4 2Ghz2GB RAM

6

Splunk

Splunk Enterprise Free Splunk 60 Enterprise 500 MB Enterprise

Splunk Enterprise Free () Enterprise

Splunk

SplunkSplunk UnixWindows Mac OS X

Splunk LinuxWindows Mac OS X

Splunk

Splunk

Splunk Linux RedHat RPM Debian Linux DEB tar Windows MSI zip MSI Mac OS X DMG tar DMG

Splunk.com Splunk.com

Linux

(CLI) Linux Splunk

Linux Splunk /opt/splunk

Splunk RPM Splunk --prefix

rpm -i --prefix=/opt/new_directory splunk_package_name.rpm

Splunk DEB Splunk DEB /opt/splunk

dpkg -i splunk_package_name.deb

tar Splunk tar /splunk /opt/splunk -C

tar xvzf splunk_package_name.tgz -C /opt

Linux Splunk Linux

Windows

1. splunk.msi

2. [] []

3. [] []

4. [] []

7

5. [] [...] Splunk []

Splunk \Program Files\Splunk

[]

6. [] [] []

Windows Splunk

7. []

8. [] [ Splunk ] []

9. []

Splunk Splunk Web

Mac OS X

1. DMG

2. [] splunk.pkg

Splunk []

3. []

4. [] Splunk

/Applications/splunk [...]

5. []

[] []

6. []

7. []

Splunk

Splunk Splunk Web Splunk splunkd splunkweb

splunkd C/C++ splunkweb Python Splunk Web Splunk

Windows Splunk

Windows Splunk

[] Splunk Windows splunkd splunkweb cmd \Program Files\Splunk\bin

> splunk start

Unix Mac OS X Splunk

8

(CLI)

$SPLUNK_HOME/bin/splunk start

$SPLUNK_HOME Splunk Unix /opt/splunk Mac OS X /Applications/splunk/bin/

Splunk

Splunk

Splunk

Splunk Splunk Web

The Splunk Web interface is at http://localhost:8000

Splunk Splunk

Splunk

$ splunk stop$ splunk restart$ splunk status

Splunk Web

Splunk Web Splunk Splunk Web

Splunk Web 8000 Splunk Splunk Web URL http://localhost:8000

Enterprise Splunk

Free Splunk Splunk [Splunk ]

Splunk

9

[]

Splunk

Splunk Splunk

Splunk Splunk

Splunk

Splunk Splunk WMI Windows Splunk

Splunk Splunk

Splunk

Splunk Splunk WebSplunk inputs.conf

Splunk Web inputs.conf Splunk Web Splunk inputs.conf

Splunk Splunk Web Splunk

Splunk

Splunk Splunk Splunk Splunk

Splunk (Splunk App for Unix and Linux os) Splunk

Splunk

10

Splunk Splunk

Splunk Splunk

() Splunk

Apache mySQL

Splunk Splunk

() sampledata.zip

Splunk

Splunk [Splunk ] [Splunk ] [] []

1. [Splunk ] []

[ Splunk] [] []

2. [] []

[] Splunk

11

3. [] []

[] > [] > [] > [] Splunk

4. [] []

source UDP:514

5. []

[][] [] Splunk

IP Sampledata.zip () Apache MySQL

access_combined cisco_syslog Splunk

Splunk main

[]

6. [] [] [ regex]

host Sampledata.zip [ regex] Splunk (regex)

12

7. []

Linux\Unix

Sampledata.zip:./([^/]+)/

Windows

Sampledata.zip:.\\([^/]+)/

regex (Linux/Unix) Sampledata.zip/ (Windows) Sampledata.zip\

8. []

Splunk

[] []

Splunk

Splunk

[] Splunk

[]

13

Splunk [] Splunk

[] Splunk []

[] [

[] Splunk ()[] Splunk [] Splunk [] Splunk

Splunk () []

Splunk

1. []

[] Apache mySQL Apache access_combined_wcookie []

Splunk [] []

2. [] access_combined_wcookie

Splunk []

15

-- []

[] [] ([] ) ([] ) [] ()

[][][][] [] [] [] []

Splunk Splunk () Splunk

[] hostsource sourcetype[] Splunk

Splunk ( [] ) ( [] ) [] CSVXML JSON []

[] []

16

-- IP 10.2.1.44

Splunk Splunk Enter ()

(access_combined_wcookie) []

1. IP

sourcetype="access_combined_wcookie" 10.2.1.44

Splunk

Splunk

[]

2. IP IP ( Enter)

Splunk

Splunk

3.

()

17

purchase

4. purchase

sourcetype="access_combined_wcookie" 10.2.1.44 purchase

Splunk

Splunk

Apache access_combined HTTP 200

Splunk ANDOR NOT

5. NOT

sourcetype="access_combined_wcookie" 10.2.1.44 purchase NOT 200

AND 5

sourcetype="access_combined_wcookie" AND 10.2.1.44 AND purchase NOT 200

HTTP (503) (404)

Splunk

( 6 ) alt Splunk

6. 404 alt

NOT 404

18

Splunk

TERM() CASE()

Splunk

[] [] () [] () [] []

24 1 bar = 1 hour [] 1 bar = 1day

(10.2.1.44)

1.

sourcetype="access_combined_wcookie" 10.2.1.44 purchase NOT 200 NOT 404

19

2.

Splunk (1 = 1 )

3.

Splunk

4.

Splunk

[]() (1 = 1 )

5.

20

()

6.

*

Splunk (*) Splunk

-- mySQL IT

Splunk 15 Splunk

1. []

21

error OR failed OR severe OR (sourcetype=access_* (404 OR 500 OR 503))

Splunk Splunk OR AND NOT access_* Apache access_common access_combined

() errorfailedsevere HTTP 404500503

2. [] [] > []

3. Enter

( [] )

mySQL 404 ...

22

404 IT

Splunk

[] [...]

Splunk

Splunk

Splunk []

() ()

Splunk /

IP clientip _time host [From] [To] [Cc]

()

Splunk

Splunk hostsource sourcetype ()

Splunk -- search-time

1. [] [] > []

23

sourcetype="access_*"

sourcetype=access_* Splunk

fieldname="fieldvalue"

sourcetype access_combined_wcookie access_ ( access_commonaccess_combined access_combined_wcookie)

2.

access_combined Apache

IP URI URL HTTP

Splunk [] [] Splunk

hostsource sourcetype []

3. [] Splunk

clientip, method, and status()

4. []

[] Splunk

[] Splunk ( [] )[] () ( host, source, andsourcetype)

24

5. []

Splunk Splunk -- timestamp ( date_* ) (punct) (index)

actioncategory_id product_id

action

category_id

product_id

6. [] actioncategory_id product_id

7. []

[]

25

Splunk action 2 category_id 5 product_id 9 -- Splunk

8. [] action [action]

action

Splunk action purchase update action 71% ()

9. category_id () product_id ()

category_id product_id

1

[] > []

error OR failed OR severe OR (sourcetype=access_* (404 OR 500 OR 503))

26

HTTP status

error OR failed OR severe OR (sourcetype=access_* (status=404 OR status=500 OR status=503))

--

Splunk Splunk /

2

sourcetype=access_* purchase flower*

flowerflowerflowers

() action=update category_id flowers

[] > []

sourcetype=access_* action=purchase category_id=flower*

27

flower* category_id (FLOWERS)

Splunk

/

Splunk

sourcetype=access_* action=purchase category_id=flowers

Splunk

1.

1.

sourcetype=access_* action=purchase

search ()

2. |

Splunk

28

Splunk -- top

3. [] [top]

Splunk top

top --

4. category_id

sourcetype=access_* action=purchase | top category_id

category_id top

top count percent top

()

2

1.

Splunk / category=flowers 2

29

Splunk Splunk

3

1.