Splunk笔记
学习Splunk Fundamentals Part 2 (IOD) 和 Splunk Fundamentals Part 1课程的笔记。
Chart
Over
By
Tips:
- ….|chart count over host by product_name usenull=f useother=f
- Only first value after by modifier effect
Timechart
- Time is alwarys the X axis
- Only first value after by modifier effect
- Span=12hr
- Use the limit option to include only the 5 best-selling products.
- Splunk automatically calculates the top products by totaling each column and taking the top n results (n being the number you specify in your limit).
- …|timechart count by product_name limit=0
Iplocation
- …|iplocation src_ip
Maps
- Marker maps
- Choropleth maps
Geostats
- …|geostats latfield=xx longfield=xx count
- Latfield
Geom
- (geom geo_us_states featureIdField=VendorStateProvince)
- index=sales sourcetype=vendor_sales VendorID < 3000 |chart count by VendorStateProvince |geom
- geo_us_states featureIdField=VendorStateProvince
Trendline
- Wma2 weighted moving average
- Sma simple moving average
- Ema exponenial moving average 指数
Addtotals
- Col=true
- Label="xx"
- Labelfield="xx"
- Fieldname=xx
- Row=false
Eval
- Tostring format values will changing their characteristics
- destination field for the eval command
- already exists overwritten by the new field
- defined in the eval command
Fieldformat
- Not change chararistic
Search
- index=security sourcetype=linux_secure fail* |stats count by user|search count>3 |sort -count
- 不可以接函数,where场景更多
Where
- index=network sourcetype=cisco_wsa_squid |stats count by http_content_type |eval type=if(http_content_type LIKE "image%","graphic","other")
- No results are found because the search command cannot compare values from two different fields. (As you saw earlier, the where command can do this.)
- … | where a>2 AND b>4
Lookup
Transaction
- Endwith
- Startwith
- : The search command must be downstream from the transaction command.
- Duration
- Eventcount
- Maxspan
Name conventions
Group
Type
Platform
Category
Time
Description
Tips:
- OPS_WFA_Network_Security_na_IPwhoisAction
- It is suggested that you name your Knowledge Objects using 6_ segmented keys.
Field Extractor (FX)
Extract your own field
Access FX via Settings, Fields Sidebar, or Event Action menu
Extraction Methods
- Regex
- Delimiter
Field Aliaes
- A way to normalize data
- Support multiple aliases
- Applied after field extractions,before lookup
- Can apply to lookup
Calculated
- A caculated field must be based on an extracted or discovered field, Not from lookup table or search
Tags
Nicknames for related field/values
One or more tags for any field/values
Case Sensitiv
Search syntax
- Tag=tagenam
- Tag::filed=tagname
- Tag=p* (partial field value)
Even Types
- Categorizing events based on search
- Tagged to group similar types of event
- No time range
- Can be inclued in a search sting
Macro
- Store entire search strings
- Time range independent
- Pass arguments to the search
- Expanding search ctr+shift+e
Workflow
- Get workflow
- Post workflow
- Search workflow
Knowledge Object
Data Models
Data model is structured datasets
3 types dataset
- Events
- Searchs
- Transacitons
Acceleration
Events Dataset
- Constraints
- Fields
Dataset field
Auto-extractd
Field type
- String
- Number
- Boolean
- IPV4
Field flags
- Optional
- Required
- Hidden
- Hidden & required
Eval expression
Lookup
Regular expression
Geo ip
Pivot
- Used for creating reports and dashboards, which are based on dataset
CIM Add-on ( Common Information Model)
- Normalize data
- Easier correlation data
- Object permission
Datamodel command
- |datamodel Web Web search |fields web*
最新文章
- 3.bootstrap练习笔记-媒体内容
- linux抓包方法
- 【leetcode❤python】70. Climbing Stairs
- leetcode007. Reverse Integer
- Effective Objective-C 2.0之Note.04
- 套题T2
- JAVA编程规则
- 使用Redis构建简单的ORM
- 传const引用代替传值
- 几个cd快速提示
- Java类加载原理解析
- ABP框架个人开发实战(1)_环境搭建
- CentOS7使用firewalld防火墙配置端口
- Team Queue (HDU:1387)
- FCC JS基础算法题(11):Seek and Destroy (摧毁数组)
- Java同步学习(持续更新)
- Logstash 安装和使用
- 【代码笔记】iOS-自定义选择框
- 初学JavaSE
- 文件上传 python
热门文章
- 【转】 The user specified as a definer (&#39;root&#39;@&#39;&#39;) does not exist when using LOCK TALBE
- MSSSQL 脚本收藏
- VS2015中常用快捷键的修改推荐
- Vue.js---组件
- 【EasyNetQ】- 使用Future Publish调度事件
- Spark+Python+Pycharm在Windows下的配置
- c# IList<;T>; 深拷贝
- [BZOJ1449] [JSOI2009]球队收益 / [BZOJ2895] 球队预算
- [NOIP2016]愤怒的小鸟 DP
- 洛谷 P1268 树的重量 解题报告