SPLUNK 安装配置及常用语法

#vi /etc/sysconfig/selinux
SELINUX=disabled
setenforce 0

#tar -zxvf splunk-6.0.1-189883-Linux-x86_64.tgz
#cd ..
#mv splunk /usr/local
#cd /usr/local/splunk/bin
#./splunk enable boot-start

This appears to be your first time running this version of Splunk.
Copying '/usr/local/splunk/etc/openldap/ldap.conf.default' to '/usr/local/splunk/etc/openldap/ldap.conf'
Moving '/usr/local/splunk/share/splunk/search_mrsparkle/modules.new' to '/usr/local/splunk/share/splunk/search_mrsparkle/modules'.
Init script installed at /etc/init.d/splunk.
Init script is not configured to run at boot.

#/etc/init.d/splunk start
Starting Splunk...
Splunk> Take the sh out of IT.
Checking prerequisites...
Checking http port [8000]: open
Checking mgmt port [8089]: open
Checking configuration...  Done.
Creating: /usr/local/splunk/var/lib/splunk
Creating: /usr/local/splunk/var/run/splunk
Creating: /usr/local/splunk/var/run/splunk/appserver/i18n
Creating: /usr/local/splunk/var/run/splunk/appserver/modules/static/css
Creating: /usr/local/splunk/var/run/splunk/upload
Creating: /usr/local/splunk/var/spool/splunk
Creating: /usr/local/splunk/var/spool/dirmoncache
Creating: /usr/local/splunk/var/lib/splunk/authDb
Creating: /usr/local/splunk/var/lib/splunk/hashDb
Checking critical directories...        Done
Checking indexes...
Validated: _audit _blocksignature _internal _thefishbucket history main summary
Done
New certs have been generated in '/usr/local/splunk/etc/auth'.
Checking filesystem compatibility...  Done
Checking conf files for typos...        Done
All preliminary checks passed.
Starting splunk server daemon (splunkd)...
Done
[确定]
Starting splunkweb...  Generating certs for splunkweb server
Generating a 1024 bit RSA private key
.............++++++
.....................................................++++++
writing new private key to 'privKeySecure.pem'
-----
Signature ok
subject=/CN=localhost.localdomain/O=SplunkUser
Getting CA Private Key
writing RSA key
[确定]
Done
If you get stuck, we're here to help.
Look for answers here: http://docs.splunk.com 
The Splunk web interface is at http://127.0.0.1:8000[/code]打开浏览器，进行访问,同时确保防火墙和访问端口: 
#service iptables stop

二)常用语法

全文搜索
搜索框直接输入”搜索词“   　 purchase     查找匹配词”purchase“
字段搜索
字段名=”搜索词“     source="Sampledata.zip:./apache3.splunk.com/access_combined.log"     查找数据来源为"Sampledata.zip:./apache3.splunk.com/access_combined.log"
通配符搜索
source="Sameledata.zip:.apache*"     查找数据来源为apache开头的所有来源
逻辑组合搜索
source="Sampledata.zip:./apache3.splunk.com/access_combined.log" purchase NOT 200    查找数据来源为"Sampledata.zip:./apache3.splunk.com/access_combined.log" 并且字符串匹配词 "purchase" 并且字符串中不匹配200
嵌套搜索
查找错误码　 error OR failed OR (souretype = access*(404 OR 500 OR 503))    当然你可以加上status字段    (sourcetype=access*(status=404 OR status=500 OR status=503)) host="apache3.splunk.com"
使用管理命令
source="Sampledata.zip:./apache*" | top 10 product_id    获取最多访问的10个产品id　    source="Sampledata.zip:./apache*" | top  limit=1 clientip    获取消费最多的客户端ip    source="Sampledata.zip:./apache*"  action=purchase clientip=233.77.49.50|stats count, values(product_id) by clientip    获取指定客户端IP购买的产品,并汇总数量    source="Sampledata.zip:./apache*" category_id = flowers| statsdc(clientip)    统计有多少用户购买了鲜花类的产品　 source="Sampledata.zip:./apache*" category_id=flowers| stats count BY clientip    每个独立用户购买鲜花的数量    source="Sampledata.zip:./apache*" category_id=flowers| stats count AS "购买鲜花数量" BY clientip |rename clientip AS 客户 　 我们可以对结果进行重命名
子搜索
子搜索部分使用[]起来，中括号的部分会先被执行，然后再执行外面搜索部分。    子搜索命令需用search开头    子搜索的速度稍微慢一些    source="Sampledata.zip:./apache*" action=purchase [search sourcetype=access_* action=purchase|top limit=1 clientip|table clientip] | stats count, values(product_id) as product_id by clientip |rename count AS "购买数量",product_id AS "购买产品内容" clientip AS "vip用户"

附：官网文档实验中用到的2个数据文本样例压缩包、及spl_splunk语法对比表。
注：由于博客文件上传容量限制，splunk安装压缩包无法上传，需要的朋友请官网自行下载。

附件：http://down.51cto.com/data/2364036