首页
学习
活动
专区
工具
TVP
发布
社区首页 >专栏 >Splunk Fundamentals 1 Lab Exercises

Splunk Fundamentals 1 Lab Exercises

作者头像
郭耀华
发布2019-10-23 15:11:29
8250
发布2019-10-23 15:11:29
举报
文章被收录于专栏:郭耀华‘s Blog郭耀华‘s Blog

换工作到新公司了,上级安排的第一个任务就是到splunk官网看视频学习,以下是一些记录笔记。

splunk官网登录url:https://www.splunk.com/page/sign_up

1、lab3

  1.1、直接到官网下载好安装包后,放到/opt 目录下,解压缩。

  1.2、启动splunk:切换到splunk的bin目录下,然后sudo ./splunk start –-accept-license启动。

2、lab4 -ingesting data

  2.1、下载文件:http://splk.it/f1data

  2.2、依次上传acc、db_audit、linux三个文件

3、lab5 -searching

  3.1、搜索:error OR fail*

  3.2、搜索:fail* AND password"port 22"

  3.2、更改"JOB"menu,将读写权限改为everyone,时间改为7days

4、lab6 -using field in searches

  4.1、搜索:index=main sourcetype=access_combined_wcookie action=purchase 所有时间

5、lab8 -Basic commands

  5.1、搜索:host= web_application action=purchase status=200

  5.2、搜索:host=web_application action=purchase status=200 file=success.do

  5.3、搜索:host=web_application action=purchase status=200 file=success.do |fields action,JSESSIONID,status

  5.4、搜索:host=web_application action=purchase status=200 file=success.do |table JSESSIONID,action,status

  5.5、搜索:host=web_application action=purchase status=200 file=success.do | table JSESSIONID,action,status |rename JSESSIONID AS "user sessions"

  5.6、搜索:host=web_application action=purchase status=200 file=success.do | table JSESSIONID,action,status | rename JSESSIONID AS "user sessions" |sort "user sessions"

  5.7、搜索:host=web_application action=purchase status=200 file=success.do | table JSESSIONID action status | rename JSESSIONID AS "user sessions" |dedup "user sessions"

  5.8、搜索:host=web_application action=purchase status=200 file=success.do | table JSESSIONID | rename JSESSIONID AS "user sessions" |dedup "user sessions"

  5.9、搜索:index=main sourcetype=access_combined_wcookie action=purchase status=200

  5.11、搜索:index=main sourcetype=access_combined_wcookie action=purchase status=200 file=success.do

  5.12、搜索:index=main sourcetype=access_combined_wcookie action=purchase status=200 file=success.do |fields action JSESSIONID status

  5.13、搜索:index=main sourcetype=access_combined_wcookie action=purchase status=200 file=success.do |table action JSESSIONID status

  5.14、搜索:index=main sourcetype=access_combined_wcookie action=purchase status=200 file=success.do | table JSESSIONID, action, status

  5.13、搜索:index=main sourcetype=access_combined_wcookie action=purchase status=200 file=success.do | table JSESSIONID, action, status | rename JSESSIONID as UserSessions

  5.14、搜素:index=main sourcetype=access_combined_wcookie action=purchase status=200 file=success.do | table JSESSIONID, action, status | rename JSESSIONID as UserSessions | sort UserSessions

  5.15、搜索:index=main sourcetype=access_combined_wcookie action=purchase status=200 file=success.do | dedup JSESSIONID | table JSESSIONID, action, status | rename JSESSIONID as UserSessions

  5.16、搜索:index=main sourcetype=access_combined_wcookie action=purchase status=200 file=success.do | dedup JSESSIONID | table JSESSIONID | rename JSESSIONID as UserSessions

6、lab9 -Transforming Commands

  6.1、搜索:index=main sourcetype=access_combined_wcookie file=success.do

  6.2、搜索:index=main sourcetype=access_combined_wcookie action=purchase file=success.do |top productId

  6.3、搜索:index=main sourcetype=access_combined_wcookie action=purchase file=success.do |top productId limit=5

  6.4、搜索:index=main sourcetype=access_combined_wcookie file=success.do |top productId limit=5 showperc=false

  6.5、搜索:index=main sourcetype=access_combined_wcookie status=200

  6.6、搜索:index=main sourcetype=access_combined_wcookie status=200 |rare file

本文参与 腾讯云自媒体分享计划,分享自作者个人站点/博客。
原始发表:2019-10-21 ,如有侵权请联系 cloudcommunity@tencent.com 删除

本文分享自 作者个人站点/博客 前往查看

如有侵权,请联系 cloudcommunity@tencent.com 删除。

本文参与 腾讯云自媒体分享计划  ,欢迎热爱写作的你一起参与!

评论
登录后参与评论
0 条评论
热度
最新
推荐阅读
领券
问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档