换工作到新公司了,上级安排的第一个任务就是到splunk官网看视频学习,以下是一些记录笔记。
splunk官网登录url:https://www.splunk.com/page/sign_up
1、lab3
1.1、直接到官网下载好安装包后,放到/opt 目录下,解压缩。
1.2、启动splunk:切换到splunk的bin目录下,然后sudo ./splunk start –-accept-license启动。
2、lab4 -ingesting data
2.1、下载文件:http://splk.it/f1data
2.2、依次上传acc、db_audit、linux三个文件
3、lab5 -searching
3.1、搜索:error OR fail*
3.2、搜索:fail* AND password"port 22"
3.2、更改"JOB"menu,将读写权限改为everyone,时间改为7days
4、lab6 -using field in searches
4.1、搜索:index=main sourcetype=access_combined_wcookie action=purchase 所有时间
5、lab8 -Basic commands
5.1、搜索:host= web_application action=purchase status=200
5.2、搜索:host=web_application action=purchase status=200 file=success.do
5.3、搜索:host=web_application action=purchase status=200 file=success.do
|fields action,JSESSIONID,status
5.4、搜索:host=web_application action=purchase status=200 file=success.do
|table JSESSIONID,action,status
5.5、搜索:host=web_application action=purchase status=200 file=success.do
| table JSESSIONID,action,status
|rename JSESSIONID AS "user sessions"
5.6、搜索:host=web_application action=purchase status=200 file=success.do
| table JSESSIONID,action,status
| rename JSESSIONID AS "user sessions"
|sort "user sessions"
5.7、搜索:host=web_application action=purchase status=200 file=success.do
| table JSESSIONID action status
| rename JSESSIONID AS "user sessions"
|dedup "user sessions"
5.8、搜索:host=web_application action=purchase status=200 file=success.do
| table JSESSIONID
| rename JSESSIONID AS "user sessions"
|dedup "user sessions"
5.9、搜索:index=main sourcetype=access_combined_wcookie action=purchase status=200
5.11、搜索:index=main sourcetype=access_combined_wcookie action=purchase status=200 file=success.do
5.12、搜索:index=main sourcetype=access_combined_wcookie action=purchase status=200 file=success.do
|fields action JSESSIONID status
5.13、搜索:index=main sourcetype=access_combined_wcookie action=purchase status=200 file=success.do
|table action JSESSIONID status
5.14、搜索:index=main
sourcetype=access_combined_wcookie action=purchase status=200 file=success.do | table JSESSIONID,
action, status
5.13、搜索:index=main sourcetype=access_combined_wcookie action=purchase
status=200 file=success.do | table JSESSIONID, action, status | rename JSESSIONID as UserSessions
5.14、搜素:index=main sourcetype=access_combined_wcookie
action=purchase status=200 file=success.do | table JSESSIONID, action, status | rename JSESSIONID as
UserSessions | sort UserSessions
5.15、搜索:index=main
sourcetype=access_combined_wcookie action=purchase status=200 file=success.do | dedup
JSESSIONID | table JSESSIONID, action, status | rename JSESSIONID as UserSessions
5.16、搜索:index=main
sourcetype=access_combined_wcookie action=purchase status=200 file=success.do | dedup
JSESSIONID | table JSESSIONID | rename JSESSIONID as UserSessions
6、lab9 -Transforming Commands
6.1、搜索:index=main sourcetype=access_combined_wcookie file=success.do
6.2、搜索:index=main sourcetype=access_combined_wcookie action=purchase file=success.do
|top productId
6.3、搜索:index=main sourcetype=access_combined_wcookie action=purchase file=success.do
|top productId limit=5
6.4、搜索:index=main sourcetype=access_combined_wcookie file=success.do
|top productId limit=5 showperc=false
6.5、搜索:index=main sourcetype=access_combined_wcookie status=200
6.6、搜索:index=main sourcetype=access_combined_wcookie status=200
|rare file
6.7、搜索:index=main sourcetype=access_combined_wcookie status=200|rare file by date_month
6.8、搜索:index=main sourcetype=access_combined_wcookie file=success.do OR file=cart.do status=200
6.9、搜索:index=main sourcetype=access_combined_wcookie file=success.do OR file=cart.do status=200
|stats count by file
6.10、搜索:index=main sourcetype=access_combined_wcookie file=success.do OR file=cart.do status=200
| stats count by file
|rename count as Transactions 或index=main sourcetype=access_combined_wcookie file=success.do OR file=cart.do status=200 | stats
count as Transactions by file
6.11、搜索:index=main sourcetype=access_combined_wcookie file=success.do OR file=cart.do status=200
| stats count as Transactions by file
|rename file as Function
6.12、搜索:index=main sourcetype=access_combined_wcookie
|stats dc(JSESSIONID) #找出会话数量并将重复的去处
6.13、搜索:index=main sourcetype=access_combined_wcookie
|stats dc(JSESSIONID) as Logins #将JSESSIONID命名为Login
6.14、搜索:index=main sourcetype=access_combined_wcookie
|stats dc(JSESSIONID) as Logins by clientip #以clientip分割出Login
6.15、搜索:index=main sourcetype=access_combined_wcookie
| stats dc(JSESSIONID) as Logins by clientip
|sort -Logins #将上一步取到的结果排序
6.16、搜索:index=main sourcetype=access_combined_wcookie status=200
6.17、搜索:index=main sourcetype=access_combined_wcookie status=200
|stats sum(bytes) as TotalBytes #查找所有带宽并命名为TotalBytes
6.18、搜索:index=main sourcetype=access_combined_wcookie status=200
|stats sum(bytes) as TotalBytes by file #以file分割出TotalBytes
6.19、搜索:index=main sourcetype=access_combined_wcookie status=200
| stats sum(bytes) as TotalBytes by file
|sort file #排序file名
6.20、搜索:index=main sourcetype=access_combined_wcookie status=200
| stats sum(bytes) as TotalBytes by file
|sort TotalBytes #将所用的带宽排序
6.21、搜索:index=main sourcetype=db_audit
|stats avg(Duration) #查看所有平均请求时间
6.22、搜索:index=main sourcetype=db_audit
|stats avg(Duration) as "time to complet" by Command #将Duration 重命名为time to complete 并以Command分割
6.23、搜索:index=main sourcetype=db_audit
| stats avg(Duration) as "time to complete" by Command
|sort -"time to complete" #排序
6.24、搜索:index=main sourcetype=access_combined_wcookie
|stats list(useragent) #以useragent生成列表
6.25、搜索:index=main sourcetype=access_combined_wcookie | stats values(useragent) as "Agents used"#重命名
6.26、搜索:index=main sourcetype=access_combined_wcookie | stats values(useragent) as "Agents used" count as
"Times used" by useragent
6.27、搜索:index=main sourcetype=access_combined_wcookie | stats values(useragent) as "Agents used" count as
"Times used" by useragent | table "Agents used", "Times used"
7、lab10 -Creating Reports and Dashbords
7.1、搜索:index=main sourcetype=access_combined_wcookie status=403
7.2、搜索:index=main sourcetype=access_combined_wcookie status=403
|stats count as attempts by clientip #重命名并计数
7.3、搜索:index=main sourcetype=access_combined_wcookie status=403
| stats count as attempts by clientip
|sort -attempts #排序
7.4、搜索:index=main sourcetype=access_combined_wcookie status=200 file=success.do
7.5、搜索:index=main sourcetype=access_combined_wcookie status=200 file=success.do
|stats count by productId
8、lab11 - Using Pivot with Solutions
8.1、搜索:index=main sourcetype=access_combined_wcookie
9、lab12 -Creating Lookups with Solutions
9.1、搜索:| inputlookup products_lookup
9.2、搜索:index=main sourcetype=access_combined_wcookie file=success.do status=200
9.3、搜索:index=main sourcetype=access_combined_wcookie status=200 file=success.do
| lookup products_lookup productId as productId OUTPUT product_name as ProductName
9.4、搜索:index=main sourcetype=access_combined_wcookie status=200 file=success.do
| lookup products_lookup productId as productId OUTPUT product_name as ProductName
| stats count by ProductName
9.5、搜索:index=main sourcetype="access_combined_wcookie" file=success.do status=200 | stats sum(Price) as
Revenue by ProductName
9.6、搜索:index=main sourcetype="access_combined_wcookie" file=success.do status=200 | stats sum(Price) as
Revenue by ProductName | sort -Revenue
10、lab13 - Creating Alerts with Solutions
10.1、搜索:index=_audit action="login attempt" info=failed user=syntek #搜索登录失败events