当前位置：网站首页>Log analysis tool (Splunk)

Log analysis tool (Splunk)

2022-07-28 03:28:00 【Colorful @ star】

Splunk Tool learning （ download 、 install 、 Easy to use 、 The core concept ）

Catalog

What is? Splunk？
- Introduce
- Splunk Application scenarios of
Splunk Download and install
- docker install （ recommend ）
- Manual installation
Splunk Easy to use
- Sign in
- Search for
Learn more about Splunk
Reference resources

What is? Splunk？

Introduce

splunk A scalable and reliable data platform , be used for survey 、 monitor 、 Analysis and processing Your data , Accelerate innovation while ensuring Security and system resilience , Free up resources to discover opportunities in data and Provide innovation , Even in the face of unpredictability . As the complexity and scope of attacks continue to expand , Ensuring a strong security posture is increasingly challenging .Splunk Enable customers to achieve their Safe operation Modernization of , Mixing 、 More powerful in a cloudy environment 、 Unified security posture . The result is ： More efficient 、 More agile security operations center (SOC) Support business growth . As the proportion of businesses conducted digitally continues to soar , System elasticity Has become the key to business elasticity . With the help of Splunk, Customers can see all layers of their technology stack in real time （ From the underlying infrastructure to end-user applications ） Health and performance , This enables you to optimize performance by proactively identifying problems and driving rapid resolution . While customers manage their systems at the speed of digital business , Reduced expenses and increased profits .

Splunk Application scenarios of

By function

Security ： Give enterprises the ability to innovate , And limit the risk
IT operating ： From business to transformation
DevOps Development and operation ： Accelerate the delivery of a superior user experience

By industry

Aerospace and national defense ： Accelerate innovation and reduce security risks , To ensure continued mission success .
signal communication ： Turn data into action through intelligent analysis and clear analysis results .
Energy and Utilities ： take IT and OT Connect with the environment , And maintain good infrastructure operation and security situation .
financial service ： Transform... Through data analysis IT、 Security and business operations .
Medical care ： Support telemedicine and remote diagnosis , Protect patient privacy and improve the security of medical devices .
manufacturing ： Within a single platform IT and OT data , Monitor your supply chain , Anticipate maintenance needs and accomplish more tasks with fewer resources .

Splunk Download and install

The main thing we learn is Splunk Enterprise.

docker install （ recommend ）

Image download

docker pull splunk/splunk:8.2.4

 
  
 
  
   1

Insert picture description here

Create and run the container

docker run -d -p 8000:8000 -e "SPLUNK_START_ARGS=--accept-license" -e "SPLUNK_PASSWORD=<password>" --name splunk splunk/splunk:8.2.4

 
  
 
  
   1

Insert picture description here

Manual installation

Science and the Internet , Using the United States ip visit splunk Official website or splunk Chinese net （ otherwise , Unable to register account ）
Click on Free Splunk Or free trial splunk
Insert picture description here

Registered account , Sign in
Choose according to your operating system , The old version can be viewed Old releases

After clicking , Browser download , There are also command line downloads , for example

linux Command line

wget -O splunk-8.2.4-87e2dda940d1-Linux-x86_64.tgz 'https://download.splunk.com/products/splunk/releases/8.2.4/linux/splunk-8.2.4-87e2dda940d1-Linux-x86_64.tgz'

 
  
 
  
   1

mac Command line

wget -O splunk-8.2.4-87e2dda940d1-macosx-10.11-intel.dmg 'https://download.splunk.com/products/splunk/releases/8.2.4/osx/splunk-8.2.4-87e2dda940d1-macosx-10.11-intel.dmg'

 
  
 
  
   1

Splunk Easy to use

Sign in

visit ：http://ip:8000 Insert picture description here

Search for

Click on the search , Try using the search function

index="_internal"  source="/opt/splunk/var/log/splunk/metrics.log"

 
  
 
  
   1

Insert picture description here

Learn more about Splunk

Splunk The concept of

Indexes- Indexes

When adding data ,Splunk Will parse the data into events , extract Time stamp , Save to disk index , The default is to save to “main” Index , You can build your own index , When searching, you will search from one or more indexes .

Events- event

Data with time stamp , Such as documents 、 The configuration file , Error message , for example , One Web Related events ：

173.26.34.223 - - [01/ Mar/2021:12:05:27 -0700] “GET /trade/ app?action=logout HTTP/1.1” 200 2953

maven Tools and installation methods

zip

0 star exceed 10% Resources for 8.69MB

download

Index-time Index time 、Search-time Search time

Index time refers to the time when data is read from the host , Classified as a data source , Extract timestamp , Resolved as an event , The process of writing to the index of the disk .
Search time refers to the process of searching events from the index on disk and extracting fields from events .

Metrics- indicators

An indicator data point contains a timestamp and one or more measurements . for example

Timestamp: 08-05-2020 16:26:42.025
-0700
Measurement: metric_name:os.cpu.
user=42.12, metric_name:max.size.
kb=345
Dimensions: hq=us-west-1,

host- The host and source- resources

host Is the name of the physical or virtual device ,source It could be a directory 、 file 、 Data flow ,source-type It can be an identifier such as a protocol . In the previous search results splunkd Is refers to xxx.log Is from splunk Server side .

Fields- Field

fields It's the key value pair , Not all events have the same fields .Splunk It will extract the fields according to your search statement when returning the results , You can also use the field extractor to extract fields through regularization, etc , This is the Elastic Search A difference of .

Tags- label

You can assign labels to a field or set of fields , To search for events that contain specific fields .

Core features

Search- Search for

Search is the main way for users to get the data they want , You can use search statements that calculate metrics to retrieve events and save the search as a report , Visualization via dashboard . therefore , Learn from good examples SPL Well ！！！

Reports- The report

Reports are saved searches , It can be executed 、 Execute periodically to generate alerts . Reports can be added to the dashboard .

Dashboards- The dashboard

The instrument panel consists of a panel , It contains a search box 、 Field and data visualization modules . Dashboards are usually connected to reports . They can show the results of completed searches , And data from real-time search .

Alerts- alert

When the conditions are met, the alarm will be triggered , Alerts can be triggered by historical search or fact search , Alerts can be sent to you by email and other means .

matlab Crack tutorial

docx

0 star exceed 10% Resources for 3.61MB

download

Here are other features

Datasets- Data sets

You can create and manage different types of data sets , Such as data model 、 Table dataset （Table Datasets）,

Data Model- Data model

Table Datasets- Table dataset

Table dataset 、 Carefully planned event data collection , Can pass Table Views To define and manage powerful table datasets ,Table Views yes SPL And visual user interface translation tools , You don't need to know SPL Can use .

Apps- application

Application is configuration 、 A collection of dashboards, etc , The application extends Splunk, Can be created as a network security officer 、 Application that enterprise administrators provide services .

Distributed Search- Distributed search

Separate the search and presentation layers , Cluster is used for distributed search , Improve performance and scalability .

System components

Forwarders- Transponder

Forward data to another Splunk Example of Splunk The instance is called a repeater .

Indexer- Indexer

The indexer converts raw data into events , And store the event in the index . The indexer also searches the index data according to the search request . The search peer is the indexer , Used to satisfy requests from search headers .

Search Head- Search header

In a distributed search environment , A search header is a header that directs a search request to a set of search peers Splunk example , Merge the results back to the user . If the instance is searched without indexing , It is often called a dedicated search header .