Splunk初識

目錄

• 網址匯總
• 注冊與下載
• 安裝
• 使用
  • 中文環境
  • 關於APP
    • Splunk自帶的APP
    • 創建自己的APP
  • 添加數據
    • 本地文件添加
      • CSV文件
      • LOG文件
    • 通過監視添加數據
    • 自定義列
  • 查詢語句
    • SPL 與 SQL對照
    • 命令查找
    • accum
    • addcoltotals
    • addtotals
    • stats
    • eval
    • head
    • timechart
    • chart
    • sort
    • dedup
    • fields
    • 能夠出可視化圖表的命令
  • 關於儀表板面板
    • 通過Search創建Dashboard
    • 配置儀表板的導航
    • 使用自定義的JS 與CSS

網址匯總

官網：https://www.splunk.com/

下載：https://www.splunk.com/en_us/download.html

文檔：https://docs.splunk.com/Documentation/Splunk/8.0.0

管理員手冊：https://docs.splunk.com/images/0/00/Splunk-6.5.0-zh_CN-Admin.pdf

注冊與下載

注： 官網注冊賬號需要審核，下載鏈接只有登錄才能獲得，可以直接使用下面的下載鏈接。可以直接下載，鏈接是免費版的Splunk。

1. windows下載鏈接：https://download.splunk.com/products/splunk/releases/8.0.0/windows/splunk-8.0.0-1357bef0a7f6-x64-release.msi
2. rpm下載鏈接： https://download.splunk.com/products/splunk/releases/8.0.0/linux/splunk-8.0.0-1357bef0a7f6-linux-2.6-x86_64.rpm
3. tgz下載鏈接：https://download.splunk.com/products/splunk/releases/8.0.0/linux/splunk-8.0.0-1357bef0a7f6-Linux-x86_64.tgz

安裝

# 使用 tgz 進行安裝 
tar -xf splunk-8.0.0-1357bef0a7f6-Linux-x86_64.tgz
cd ./splunk/bin
./splunk startcurl
#

用物理機 訪問 hostname:8000，輸入賬號密碼。

使用

中文環境

默認進入的環境是英文環境，可以直接改url

默認的：http://test:8000/en-GB/app/launcher/home

更改為：http://test:8000/zh-CN/app/launcher/home

第一次進入的時候，會有使用教程進行提示

關於APP

APPs會為一些想要使用的場景提供解決方案，不能的APP可能是對業務層面的隔離，也可能具體到某曾數據層面的隔離。比如：我擁有一組服務器的LOG而對於這個LOG可能就可以創建一個APP，里面都是對於LOG信息的可視化展示。

Splunk自帶的APP

Splunk提供了一組APP，可以直接安裝在你的Server上，訪問：http://test:8000/zh-CN/manager/launcher/appsremote?offset=0&count=20&order=latest。可以查找應用。

推薦安裝Splunk Dashboard Examples來學習。需要登錄官方賬號與密碼。

可以通過例子，對Splunk有一個深入的了解。

創建自己的APP

進入管理應用:http://test:8000/zh-CN/manager/simple_xml_examples/apps/local 右上角有創建APP

進入APP

添加數據

點擊如圖的位置進行數據添加。

添加數據可以直接從Splunk的合作平台直接鏈接過來。我們嘗試手動添加數據。

本地文件添加

到官網查看 支持的本地文件類型:https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchTutorial/AboutgettingdataintoSplunk。

如下是我提取的表格：

Data source	Description
Files and directories	Most data that you might be interested in comes directly from files and directories.
Network events	The Splunk software can index remote data from any network port and SNMP events from remote devices.
IT Operations	Data from IT Ops, such as Nagios, NetApp, and Cisco.
Cloud services	Data from Cloud services, such as AWS and Kinesis.
Database services	Data from databases such as Oracle, MySQL, and Microsoft SQL Server.
Security services	Data from security services such as McAfee, Microsoft Active Directory, and Symantec Endpoint Protection.
Vituralization services	Data from virtualization services such as VMWare and XenApp.
Application servers	Data from application servers such as JMX & JMS, WebLogic, and WebSphere.
Windows sources	The Windows version of Splunk software accepts a wide range of Windows-specific inputs, including Windows Event Log, Windows Registry, WMI, Active Directory, and Performance monitoring.
Other sources	Other input sources are supported, such as FIFO queues and scripted inputs for getting data from APIs, and other remote data interfaces.

CSV文件

准備了這樣一份CSV

按照步驟依次

全部默認就可以。

我們點擊開始搜索查看數據

返回到APP首頁可以查看數據已經有了

LOG文件

准備這樣一份log文件

[2019-04-04 11:33:32.722]: entering -- org.netbeans.installer.Installer.main():81
[2019-04-04 11:33:32.725]: initializing the installer engine
[2019-04-04 11:33:32.725]:     entering -- org.netbeans.installer.Installer.<init>():116
[2019-04-04 11:33:32.725]:     ... initializing ErrorHandler
[2019-04-04 11:33:32.726]:     ... end of ErrorHandler initialization
[2019-04-04 11:33:32.726]:     exiting -- org.netbeans.installer.Installer.<init>():116
[2019-04-04 11:33:32.726]:     entering -- org.netbeans.installer.Installer.<init>():117
[2019-04-04 11:33:32.727]:     dumping target system information
[2019-04-04 11:33:32.727]:         system properties:
[2019-04-04 11:33:32.728]:             awt.toolkit => sun.awt.windows.WToolkit
[2019-04-04 11:33:32.728]:             file.encoding => GBK
[2019-04-04 11:33:32.729]:             file.encoding.pkg => sun.io
[2019-04-04 11:33:32.729]:             file.separator => \
[2019-04-04 11:33:32.729]:             java.awt.graphicsenv => sun.awt.Win32GraphicsEnvironment
[2019-04-04 11:33:32.729]:             java.awt.printerjob => sun.awt.windows.WPrinterJob

查看數據

通過監視添加數據

我們選擇添加數據的監視

監測一個文件

自定義列

有些時候Splunk可能無法自動識別列，我們可以自定義規則來提取列

我自定義一個log type的列，提取log中標識當前屬於什么log的位置。這樣我們就可以對這個系統的log進行分析。

查詢語句

Splunk將數據導入后，通過SPL將數據查詢出來，然后通過可視化工具進行顯示。

SPL 與 SQL對照

訪問：https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/SQLtoSplunk

SQL command	SQL example	Splunk SPL example	備注
SELECT *	SELECT * FROM mytable	source=mytable	source就相當於table
WHERE	SELECT * FROM mytable WHERE mycolumn=5	source=mytable mycolumn=5
SELECT	SELECT mycolumn1, mycolumn2 FROM mytable	source=mytable | FIELDS mycolumn1, mycolumn2	通過fields可以規定查詢哪幾列
AND/OR	SELECT * FROM mytable WHERE (mycolumn1="true" OR mycolumn2="red") AND mycolumn3="blue"	source=mytable AND (mycolumn1="true" OR mycolumn2="red") AND mycolumn3="blue"
AS (alias)	SELECT mycolumn AS column_alias FROM mytable	source=mytable | RENAME mycolumn as column_alias | FIELDS column_alias	rename關鍵字
BETWEEN	SELECT * FROM mytable WHERE mycolumn BETWEEN 1 AND 5	source=mytable mycolumn>=1 mycolumn<=5
GROUP BY	SELECT mycolumn, avg(mycolumn) FROM mytable WHERE mycolumn=value GROUP BY mycolumn	source=mytable mycolumn=value | STATS avg(mycolumn) BY mycolumn | FIELDS mycolumn, avg(mycolumn)	stats對結果分組，並取平均值
LEFT (OUTER) JOIN	SELECT * FROM mytable1 LEFT JOIN mytable2 ON mytable1.mycolumn= mytable2.mycolumn	source=mytable1 | JOIN type=left mycolumn [SEARCH source=mytable2]	[SEARCH..]相當於一個子查詢了，然后進行連接
TRUNCATE TABLE	TRUNCATE TABLE mytable	source=mytable | DELETE
UNION	SELECT mycolumn FROM mytable1 UNION SELECT mycolumn FROM mytable2	source=mytable1 | APPEND [SEARCH source=mytable2] | DEDUP mycolumn	APPEND相當於將當前查詢與子查詢組合起來
UNION ALL	SELECT * FROM mytable1 UNION ALL SELECT * FROM mytable2	source=mytable1 | APPEND [SEARCH source=mytable2]	區別在於，不需要去重字段

命令查找

https://docs.splunk.com/Documentation/Splunk/6.6.0/SearchReference/Abstract

accum

累計求和

host="bmp-mysql" source="splunk_kane_test.csv"| accum age as test | table test,age

[test](http://test:8000/zh-CN/app/test/search?q=search host%3D"bmp-mysql" source%3D"splunk_kane_test.csv"| accum age as test | table test%2Cage&display.page.search.mode=smart&dispatch.sample_ratio=1&workload_pool=&earliest=-24h%40h&latest=now&display.prefs.events.count=50&display.events.type=list&display.page.search.tab=statistics&display.general.type=statistics&display.prefs.statistics.count=50&sid=1575270504.1260#)	[age](http://test:8000/zh-CN/app/test/search?q=search host%3D"bmp-mysql" source%3D"splunk_kane_test.csv"| accum age as test | table test%2Cage&display.page.search.mode=smart&dispatch.sample_ratio=1&workload_pool=&earliest=-24h%40h&latest=now&display.prefs.events.count=50&display.events.type=list&display.page.search.tab=statistics&display.general.type=statistics&display.prefs.statistics.count=50&sid=1575270504.1260#)
20(20)	20
50(20+30)	30
81(20+30+31)(51+31)	31

addcoltotals

增加單列求和

host="bmp-mysql" source="splunk_kane_test.csv"| addcoltotals age sex|table _time,age

會在age,sex兩列的最下面增加總數的計算。589、11都是整列的求和，沒寫的列不會求和

[_time](http://test:8000/zh-CN/app/test/search?q=search host%3D"bmp-mysql" source%3D"splunk_kane_test.csv"| addcoltotals age sex|table _time%2Cage%2Csex&display.page.search.mode=smart&dispatch.sample_ratio=1&workload_pool=&earliest=-24h%40h&latest=now&display.prefs.events.count=50&display.events.type=list&display.page.search.tab=statistics&display.general.type=statistics&display.prefs.statistics.count=100&sid=1575270911.1266#)	[age](http://test:8000/zh-CN/app/test/search?q=search host%3D"bmp-mysql" source%3D"splunk_kane_test.csv"| addcoltotals age sex|table _time%2Cage%2Csex&display.page.search.mode=smart&dispatch.sample_ratio=1&workload_pool=&earliest=-24h%40h&latest=now&display.prefs.events.count=50&display.events.type=list&display.page.search.tab=statistics&display.general.type=statistics&display.prefs.statistics.count=100&sid=1575270911.1266#)	[sex](http://test:8000/zh-CN/app/test/search?q=search host%3D"bmp-mysql" source%3D"splunk_kane_test.csv"| addcoltotals age sex|table _time%2Cage%2Csex&display.page.search.mode=smart&dispatch.sample_ratio=1&workload_pool=&earliest=-24h%40h&latest=now&display.prefs.events.count=50&display.events.type=list&display.page.search.tab=statistics&display.general.type=statistics&display.prefs.statistics.count=100&sid=1575270911.1266#)
2019/12/02 10:48:21	25	1
2019/12/02 10:48:21	...
	589	11##

addtotals

對列、行求和

host="bmp-mysql" source="splunk_kane_test.csv"|table Name age sex| addtotals  fieldname="Row Totals" col=true labelfield=Name label=Total
# fieldname是對行求和新加的列
# col = true意思是隊列求和 false就不求和了
# labelfield對列求和刨除的列，相應的求和的標簽也會放在這一列的下面
# label對列求和的標簽

[Name](http://test:8000/zh-CN/app/test/search?q=search host%3D"bmp-mysql" source%3D"splunk_kane_test.csv"|table Name age sex| addtotals fieldname%3D"Row Totals" col%3Dtrue labelfield%3DName label%3DTotal&display.page.search.mode=smart&dispatch.sample_ratio=1&workload_pool=&earliest=-24h%40h&latest=now&display.prefs.events.count=50&display.events.type=list&display.page.search.tab=statistics&display.general.type=statistics&display.prefs.statistics.count=100&sid=1575272391.1292#)	[age](http://test:8000/zh-CN/app/test/search?q=search host%3D"bmp-mysql" source%3D"splunk_kane_test.csv"|table Name age sex| addtotals fieldname%3D"Row Totals" col%3Dtrue labelfield%3DName label%3DTotal&display.page.search.mode=smart&dispatch.sample_ratio=1&workload_pool=&earliest=-24h%40h&latest=now&display.prefs.events.count=50&display.events.type=list&display.page.search.tab=statistics&display.general.type=statistics&display.prefs.statistics.count=100&sid=1575272391.1292#)	[sex](http://test:8000/zh-CN/app/test/search?q=search host%3D"bmp-mysql" source%3D"splunk_kane_test.csv"|table Name age sex| addtotals fieldname%3D"Row Totals" col%3Dtrue labelfield%3DName label%3DTotal&display.page.search.mode=smart&dispatch.sample_ratio=1&workload_pool=&earliest=-24h%40h&latest=now&display.prefs.events.count=50&display.events.type=list&display.page.search.tab=statistics&display.general.type=statistics&display.prefs.statistics.count=100&sid=1575272391.1292#)	[Row Totals](http://test:8000/zh-CN/app/test/search?q=search host%3D"bmp-mysql" source%3D"splunk_kane_test.csv"|table Name age sex| addtotals fieldname%3D"Row Totals" col%3Dtrue labelfield%3DName label%3DTotal&display.page.search.mode=smart&dispatch.sample_ratio=1&workload_pool=&earliest=-24h%40h&latest=now&display.prefs.events.count=50&display.events.type=list&display.page.search.tab=statistics&display.general.type=statistics&display.prefs.statistics.count=100&sid=1575272391.1292#)
name22	20	1	21
...	...	...	...
Total	589	11	600

stats

對數據進行分組

host="bmp-mysql" source="splunk_kane_test.csv"|table Name age sex| stats avg(age)  as avg_age by sex
#通過sex對age進行分區，並取平均值

[sex](http://test:8000/zh-CN/app/test/search?q=search host%3D"bmp-mysql" source%3D"splunk_kane_test.csv"|table Name age sex| stats avg(age) as avg_age by sex&display.page.search.mode=smart&dispatch.sample_ratio=1&workload_pool=&earliest=-24h%40h&latest=now&display.prefs.events.count=50&display.events.type=list&display.page.search.tab=statistics&display.general.type=statistics&display.prefs.statistics.count=100&sid=1575272991.1301#)	[avg_age](http://test:8000/zh-CN/app/test/search?q=search host%3D"bmp-mysql" source%3D"splunk_kane_test.csv"|table Name age sex| stats avg(age) as avg_age by sex&display.page.search.mode=smart&dispatch.sample_ratio=1&workload_pool=&earliest=-24h%40h&latest=now&display.prefs.events.count=50&display.events.type=list&display.page.search.tab=statistics&display.general.type=statistics&display.prefs.statistics.count=100&sid=1575272991.1301#)
0	26.545454545454547
1	27

關於stats中可以使用的方法

Type of function	Supported functions and syntax
Aggregate functions	avg() count() distinct_count() estdc() estdc_error()	exactperc() max() median() min() mode()	perc() range() stdev() stdevp()	sum() sumsq() upperperc() var() varp()
Event order functions	first()	last()
Multivalue stats and chart functions	list()	values()
Time functions	earliest() earliest_time()	latest() latest_time()	rate()

eval

通過表達式進行一些計算

host="bmp-mysql" source="splunk_kane_test.csv"|table Name age sex| eval test=age+sex |table test,age
# 算age與sex的合，給新的列test。最終將test列結果輸出出來

[test](http://test:8000/zh-CN/app/test/search?q=search host%3D"bmp-mysql" source%3D"splunk_kane_test.csv"|table Name age sex| eval test%3Dage%2Bsex |table test%2Cage%2Csex&display.page.search.mode=smart&dispatch.sample_ratio=1&workload_pool=&earliest=-24h%40h&latest=now&display.prefs.events.count=50&display.events.type=list&display.page.search.tab=statistics&display.general.type=statistics&display.prefs.statistics.count=100&sid=1575273199.1304#)	[age](http://test:8000/zh-CN/app/test/search?q=search host%3D"bmp-mysql" source%3D"splunk_kane_test.csv"|table Name age sex| eval test%3Dage%2Bsex |table test%2Cage%2Csex&display.page.search.mode=smart&dispatch.sample_ratio=1&workload_pool=&earliest=-24h%40h&latest=now&display.prefs.events.count=50&display.events.type=list&display.page.search.tab=statistics&display.general.type=statistics&display.prefs.statistics.count=100&sid=1575273199.1304#)	[sex](http://test:8000/zh-CN/app/test/search?q=search host%3D"bmp-mysql" source%3D"splunk_kane_test.csv"|table Name age sex| eval test%3Dage%2Bsex |table test%2Cage%2Csex&display.page.search.mode=smart&dispatch.sample_ratio=1&workload_pool=&earliest=-24h%40h&latest=now&display.prefs.events.count=50&display.events.type=list&display.page.search.tab=statistics&display.general.type=statistics&display.prefs.statistics.count=100&sid=1575273199.1304#)
25	25	0
26	25	1
29	29	0
31	30	1

eval可以用if case 很多函數，參照https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/Eval#Functions

關於if的例子

host="bmp-mysql" source="splunk_kane_test.csv"|table Name age sex| eval test=if(sex=="1","男","女") |table test,age,sex

head

限制結果的數量

host="bmp-mysql" source="splunk_kane_test.csv"|table Name age sex| eval test=if(sex=="1","男","女") |table test,age,sex|head 1
# 只顯示第一行了

timechart

新建時間序列圖表，這個查詢會默認添加上_time這一列

host="bmp-mysql" source="splunk_kane_test.csv"|timechart avg(age) by sex
# 這個要表達的意思是 統計每種性別的平均年齡，並且統計每個時間段的

[_time](http://test:8000/zh-CN/app/test/search?q=search host%3D"bmp-mysql" source%3D"splunk_kane_test.csv"|timechart avg(age) by sex&display.page.search.mode=smart&dispatch.sample_ratio=1&workload_pool=&earliest=-24h%40h&latest=now&display.prefs.events.count=50&display.events.type=list&display.page.search.tab=statistics&display.general.type=statistics&display.prefs.statistics.count=100&sid=1575273704.1317#)	[0](http://test:8000/zh-CN/app/test/search?q=search host%3D"bmp-mysql" source%3D"splunk_kane_test.csv"|timechart avg(age) by sex&display.page.search.mode=smart&dispatch.sample_ratio=1&workload_pool=&earliest=-24h%40h&latest=now&display.prefs.events.count=50&display.events.type=list&display.page.search.tab=statistics&display.general.type=statistics&display.prefs.statistics.count=100&sid=1575273704.1317#)	[1](http://test:8000/zh-CN/app/test/search?q=search host%3D"bmp-mysql" source%3D"splunk_kane_test.csv"|timechart avg(age) by sex&display.page.search.mode=smart&dispatch.sample_ratio=1&workload_pool=&earliest=-24h%40h&latest=now&display.prefs.events.count=50&display.events.type=list&display.page.search.tab=statistics&display.general.type=statistics&display.prefs.statistics.count=100&sid=1575273704.1317#)
2019/12/01 16:00:00
2019/12/02 10:30:00	26.545454545454547	27

會出一個這樣的圖。如果每個時間段都有數據進來的話，就會統計每個時間段內進來的數據，按照性別區分的平均年齡

chart

制作圖表，這個不帶有時間，直接通過sex計算平均值

host="bmp-mysql" source="splunk_kane_test.csv"|chart avg(age) by sex

sort

對字段排序，可多字段

host="bmp-mysql" source="splunk_kane_test.csv"|chart avg(age) by sex | sort - sex
# sex 倒序

dedup

對列去重

fields

列出列，不列出的列在結果中不顯示

能夠出可視化圖表的命令

在Splunk中有一種類型的命令叫做transfroming command這些命令，可以出可視化的圖表

addtotals,chart,cofilter,contingency,eventstats,history,makecontinuous,mvcombine,rare,stats,table,timechart,top,xyseries
# 常用的有
addtotals,chart,stats,table,timechart

關於儀表板面板

通過Search創建Dashboard

host="bmp-mysql" source="splunk_kane_test.csv"|stats values(age) by Name

統計信息

可視化圖表，可切換圖表的顯示方式

另存為儀表板面板在右上角

查看儀表板

我們可以在編輯頁面里面繼續修改

配置儀表板的導航

設置(Settings) -----> 用戶界面(User Interfaces) -----------> Navigation menus
選中自己的APP然后進行編輯下面的是默認的

<nav search_view="search">
  <view name="search" default='true' />
  <view name="datasets" />
  <view name="reports" />
  <view name="alerts" />
  <view name="dashboards" />
</nav>

使用自定義的JS 與CSS

我們可以這樣上傳自己的自定義的文件，此操作會在服務器上當前APP的目錄/splunk/splunk/etc/apps/test下創建/appserver/static並在這個文件夾下。