SPLUNK 安装配置及常用语法
2014-01-28 13:07
615 查看
一)安装配置环境:
CentOS 6.2 开始安装:
首先关闭selinux:
CentOS 6.2 开始安装:
首先关闭selinux:
#vi /etc/sysconfig/selinux SELINUX=disabled setenforce 0将之前官网下载好的压缩包进行解压,并安装。
#tar -zxvf splunk-6.0.1-189883-Linux-x86_64.tgz #cd .. #mv splunk /usr/local #cd /usr/local/splunk/bin #./splunk enable boot-start第一次安装会提示:
This appears to be your first time running this version of Splunk. Copying '/usr/local/splunk/etc/openldap/ldap.conf.default' to '/usr/local/splunk/etc/openldap/ldap.conf' Moving '/usr/local/splunk/share/splunk/search_mrsparkle/modules.new' to '/usr/local/splunk/share/splunk/search_mrsparkle/modules'. Init script installed at /etc/init.d/splunk. Init script is not configured to run at boot.根据提示进行copy操作,然后进行安装:
#/etc/init.d/splunk start Starting Splunk... Splunk> Take the sh out of IT. Checking prerequisites... Checking http port [8000]: open Checking mgmt port [8089]: open Checking configuration... Done. Creating: /usr/local/splunk/var/lib/splunk Creating: /usr/local/splunk/var/run/splunk Creating: /usr/local/splunk/var/run/splunk/appserver/i18n Creating: /usr/local/splunk/var/run/splunk/appserver/modules/static/css Creating: /usr/local/splunk/var/run/splunk/upload Creating: /usr/local/splunk/var/spool/splunk Creating: /usr/local/splunk/var/spool/dirmoncache Creating: /usr/local/splunk/var/lib/splunk/authDb Creating: /usr/local/splunk/var/lib/splunk/hashDb Checking critical directories... Done Checking indexes... Validated: _audit _blocksignature _internal _thefishbucket history main summary Done New certs have been generated in '/usr/local/splunk/etc/auth'. Checking filesystem compatibility... Done Checking conf files for typos... Done All preliminary checks passed. Starting splunk server daemon (splunkd)... Done [确定] Starting splunkweb... Generating certs for splunkweb server Generating a 1024 bit RSA private key .............++++++ .....................................................++++++ writing new private key to 'privKeySecure.pem' ----- Signature ok subject=/CN=localhost.localdomain/O=SplunkUser Getting CA Private Key writing RSA key [确定] Done If you get stuck, we're here to help. Look for answers here: http://docs.splunk.com The Splunk web interface is at http://127.0.0.1:8000[/code]打开浏览器,进行访问,同时确保防火墙和访问端口:#service iptables stop
二)常用语法全文搜索
搜索框直接输入”搜索词“ purchase 查找匹配词”purchase“字段搜索
字段名=”搜索词“ source="Sampledata.zip:./apache3.splunk.com/access_combined.log" 查找数据来源为"Sampledata.zip:./apache3.splunk.com/access_combined.log"通配符搜索
source="Sameledata.zip:.apache*" 查找数据来源为apache开头的所有来源逻辑组合搜索
source="Sampledata.zip:./apache3.splunk.com/access_combined.log" purchase NOT 200 查找数据来源为"Sampledata.zip:./apache3.splunk.com/access_combined.log" 并且字符串匹配词 "purchase" 并且字符串中不匹配200嵌套搜索
查找错误码 error OR failed OR (souretype = access*(404 OR 500 OR 503)) 当然你可以加上status字段 (sourcetype=access*(status=404 OR status=500 OR status=503)) host="apache3.splunk.com"使用管理命令
source="Sampledata.zip:./apache*" | top 10 product_id 获取最多访问的10个产品id source="Sampledata.zip:./apache*" | top limit=1 clientip 获取消费最多的客户端ip source="Sampledata.zip:./apache*" action=purchase clientip=233.77.49.50|stats count, values(product_id) by clientip 获取指定客户端IP购买的产品,并汇总数量 source="Sampledata.zip:./apache*" category_id = flowers| statsdc(clientip) 统计有多少用户购买了鲜花类的产品 source="Sampledata.zip:./apache*" category_id=flowers| stats count BY clientip 每个独立用户购买鲜花的数量 source="Sampledata.zip:./apache*" category_id=flowers| stats count AS "购买鲜花数量" BY clientip |rename clientip AS 客户 我们可以对结果进行重命名子搜索
子搜索部分使用[]起来,中括号的部分会先被执行,然后再执行外面搜索部分。 子搜索命令需用search开头 子搜索的速度稍微慢一些 source="Sampledata.zip:./apache*" action=purchase [search sourcetype=access_* action=purchase|top limit=1 clientip|table clientip] | stats count, values(product_id) as product_id by clientip |rename count AS "购买数量",product_id AS "购买产品内容" clientip AS "vip用户"
附:官网文档实验中用到的2个数据文本样例压缩包、及spl_splunk语法对比表。
注:由于博客文件上传容量限制,splunk安装压缩包无法上传,需要的朋友请官网自行下载。
附件:http://down.51cto.com/data/2364036
相关文章推荐
- 从源码安装Mysql/Percona 5.5
- mysql中int、bigint、smallint 和 tinyint的区别与长度
- mysql load data 导出、导入 csv
- source命令执行SQL脚本文件
- linux下mysql添加用户
- mysql procedure
- mysql触发器
- MySQL 备份和恢复策略
- mac下安装mysql(转载)
- mysql 修改编码 Linux/Mac/Unix/通用(杜绝修改后无法启动的情况!)
- MySQL数据的导出、导入(mysql内部命令:mysqldump、mysql)
- mysql数据行转列
- Linux下修改MySQL编码的方法
- MySQL Server 日志
- MySQL 安全事宜
- MySQL 备份与恢复
- MySQL 优化
- MySQL 数据类型
- Facebook's New Real-time Messaging System: HBase to Store 135+ Billion Messages a Month