Splunk Cheat Sheet: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
No edit summary |
||
| Line 1: | Line 1: | ||
=Administration= | |||
==Paths== | |||
*All config specs: | |||
ls /opt/splunk/etc/system/README | |||
*Default conf (never use) | |||
ls /opt/splunk/etc/system/default | |||
*Local conf | |||
ls /opt/splunk/etc/system/local | |||
==btool== | |||
*Check Syntax | |||
./splunk btool check | |||
*List server.conf / general | |||
./splunk btool server list general | |||
or server.conf / sslConfig | |||
./splunk btool server list sslConfig | |||
*See where changes come from | |||
./splunk btool server list general --debug | |||
*Show the script stanza form Inputs.conf | |||
./splunk btool inputs list script | |||
*and see wehre the change comes from | |||
./splunk btool inputs list script --debug | |||
*Or monitor | |||
./splunk btool inputs list monitor | |||
==Server Commands== | |||
*Show running server.conf | |||
./splunk show config server | |||
/or inputs.conf | |||
./splunk show config inputs | |||
*Set/Show the server name | |||
./splunk set servername splunk## | |||
./splunk show servername | |||
*Set/Show the default host name | |||
./splunk show default-hostname | |||
./splunk show default-hostname | |||
*Add a test index to the search app | |||
./splunk add index test -app search | |||
*Add a receiving port to the search app | |||
./splunk enable listen 9997 -app search | |||
*Force reload | |||
https://domain.com:8000/debug/refresh | |||
==Config Tracker (Splunk9+)== | |||
index = _configtracker | |||
index=_configtracker server.conf serverName | |||
==Diag== | |||
*Diag selections | |||
These switches select which categories of information should be | |||
collected. The current components available are: index_files, | |||
index_listing, dispatch, etc, log, searchpeers, consensus, | |||
conf_replication_summary, suppression_listing, rest, kvstore, | |||
file_validate, profiler | |||
*Sample | |||
./splunk diag --collect=index_files,etc | |||
==Splunk Cnfiguration== | |||
===server.conf=== | |||
*Allow remote login when using the free license | |||
[general] | |||
allowRemoteLogin = always | |||
*Do not show the update information | |||
[applicationsManagement] | |||
allowInternetAccess = false | |||
===inputs.conf=== | |||
*Set the sourcetype on the forwarder machines, ''' this is for the universal forwarder''' | |||
[monitor://d:\internetbackend\log\splunk\fapi*] | |||
sourcetype = flightapi | |||
disabled = 0 | |||
[monitor://d:\internetbackend\log\splunk\ibe*] | |||
sourcetype = internetbackend | |||
disabled = 0 | |||
[monitor://d:\internetbackend\log\splunk\mnt*] | |||
sourcetype = maintenance | |||
disabled = 0 | |||
[monitor://d:\internetbackend\log\splunk\wfe*] | |||
sourcetype = webfares | |||
disabled = 0 | |||
[monitor://d:\internetbackend\log\splunk\fq*] | |||
sourcetype = farequote | |||
disabled = 0 | |||
[monitor://c:\hitchhiker\log\splunk\pg*] | |||
sourcetype = paymentgate | |||
disabled = 0 | |||
===indexes.conf=== | |||
*/opt/splunk/etc/apps/search/local | |||
[security] | |||
coldPath = $SPLUNK_DB/security/colddb | |||
enableDataIntegrityControl = 0 | |||
enableTsidxReduction = 0 | |||
homePath = $SPLUNK_DB/security/db | |||
maxTotalDataSizeMB = 1024 | |||
thawedPath = $SPLUNK_DB/security/thaweddb | |||
===inputs.conf=== | |||
*Server | |||
[splunktcp://9997] | |||
queueSize = 2MB | |||
disabled = 0 | |||
=Searching= | |||
==Timechart== | ==Timechart== | ||
M=CB PCC= | M=CB PCC=SYDXXX | timechart max(DTM) as CRSMessages span=30s | ||
| Line 24: | Line 134: | ||
M=FAPI CMD=GetFares | top PCC showperc=f | lookup pcc PCC as PCC OUTPUT Owner,CRSName | rename Owner as Customer | fields Customer, count | M=FAPI CMD=GetFares | top PCC showperc=f | lookup pcc PCC as PCC OUTPUT Owner,CRSName | rename Owner as Customer | fields Customer, count | ||
==Advanced Search Samples== | ==Advanced Search Samples== | ||
| Line 35: | Line 139: | ||
String to search: | String to search: | ||
Feb 13 14:07:02 10.0.3.30 Feb 13 14:07:02 mail mimedefang.pl[10780]: MDLOG,s1DD71da017590,mail_in,,,<support@ | Feb 13 14:07:02 10.0.3.30 Feb 13 14:07:02 mail mimedefang.pl[10780]: MDLOG,s1DD71da017590,mail_in,,,<support@domain.com>,<support@domain.com>,Warning Message | ||
Regex to extract the message id: | Regex to extract the message id: | ||
| Line 78: | Line 182: | ||
Regex to get a table of SRC,DST and Port | Regex to get a table of SRC,DST and Port | ||
host="192.168.100.1" Built inbound TCP connection * | rex field=_raw "for outside:(?<SRC>[^\/]+)" | rex field=_raw "to inside:(?<DST>[^\/]+)\/(?<PORT>[^\s+]+)" | top 500 SRC,DST,PORT | host="192.168.100.1" Built inbound TCP connection * | rex field=_raw "for outside:(?<SRC>[^\/]+)" | rex field=_raw "to inside:(?<DST>[^\/]+)\/(?<PORT>[^\s+]+)" | top 500 SRC,DST,PORT | ||
===Lookahead Sample=== | ===Lookahead Sample=== | ||
Records(s) to look ahead and group | Records(s) to look ahead and group | ||
Mar 5 15:34:20 10.0.3.30 Mar 5 15:34:20 spamd child[6707]: GSCORE=0 COU=ES ASN=AS12357 IP=77.230.132.146 MFROM=ibe@elegancejewelrydesigns.com MTO=ibe@ | Mar 5 15:34:20 10.0.3.30 Mar 5 15:34:20 spamd child[6707]: GSCORE=0 COU=ES ASN=AS12357 IP=77.230.132.146 MFROM=ibe@elegancejewelrydesigns.com MTO=ibe@hitchhiker.com MSGID=s25EYHtn016074 HELO=static-146-132-230-77.ipcom.comunitel.net IPN=1306952850 LAT=40.0000 LON=-4.0000 CTY=0 | ||
Mar 5 15:34:24 10.0.3.30 Mar 5 15:34:24 mail sm-mta[16074]: s25EYHtn016074: Milter add: header: X-Spam-Status: Yes, score=23.4 required=3.0 tests=BAYES_99,CK_HELO_GENERIC,\n\tGEO_MAIL_SEARCH,HELO_DYNAMIC_IPADDR,HTML_MESSAGE,MIME_HTML_ONLY,\n\tRAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,\n\tRCVD_IN_BL_SPAMCOP_NET,RCVD_IN_BRBL_LASTEXT,RCVD_IN_PSBL,RCVD_IN_SORBS_WEB,\n\tRCVD_IN_XBL,SPF_NEUTRAL,URIBL_BLACK,URIBL_DBL_SPAM,URIBL_JP_SURBL,\n\tURIBL_WS_SURBL autolearn=spam version=3.3.1 | Mar 5 15:34:24 10.0.3.30 Mar 5 15:34:24 mail sm-mta[16074]: s25EYHtn016074: Milter add: header: X-Spam-Status: Yes, score=23.4 required=3.0 tests=BAYES_99,CK_HELO_GENERIC,\n\tGEO_MAIL_SEARCH,HELO_DYNAMIC_IPADDR,HTML_MESSAGE,MIME_HTML_ONLY,\n\tRAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,\n\tRCVD_IN_BL_SPAMCOP_NET,RCVD_IN_BRBL_LASTEXT,RCVD_IN_PSBL,RCVD_IN_SORBS_WEB,\n\tRCVD_IN_XBL,SPF_NEUTRAL,URIBL_BLACK,URIBL_DBL_SPAM,URIBL_JP_SURBL,\n\tURIBL_WS_SURBL autolearn=spam version=3.3.1 | ||
| Line 190: | Line 256: | ||
Use transaction and table to map FAPI/WFE data. | Use transaction and table to map FAPI/WFE data. | ||
TIME>20 | transaction TID | rename TIME as ResponseTime | table _time,TID,host,ResponseTime,DEP,ARR,M,SC,SS,PCC | search PCC= | TIME>20 | transaction TID | rename TIME as ResponseTime | table _time,TID,host,ResponseTime,DEP,ARR,M,SC,SS,PCC | search PCC=XXX | ||
===WebFare Searches=== | ===WebFare Searches=== | ||
| Line 215: | Line 280: | ||
M=WFE WAGTD="*U2*" | M=WFE WAGTD="*U2*" | ||
===Append two searches=== | ===Append two searches=== | ||
*Use appendcols | *Use appendcols | ||
M=FAPI FT=1 STAT=0 USR=QUNAR.PROD | stats count(CMD) as | M=FAPI FT=1 STAT=0 USR=QUNAR.PROD | stats count(CMD) as XXX | appendcols [search M=FAPI FT=1 STAT=0 USR NOT XXXX.PROD | stats count(CMD) as OTHER] | ||
===Event count=== | ===Event count=== | ||
| Line 259: | Line 291: | ||
M=WFE | stats list(PSTAT) as PSTAT count(AIR) as total by AIR | M=WFE | stats list(PSTAT) as PSTAT count(AIR) as total by AIR | ||
M=WFE 0Y | stats values(PSTAT) as PSTAT count(AIR) as total by AIR | M=WFE 0Y | stats values(PSTAT) as PSTAT count(AIR) as total by AIR | ||
==Links== | ==Links== | ||
| Line 299: | Line 297: | ||
*KV Store renew cert | *KV Store renew cert | ||
*http://wiki.intern/index.php/Renew_internal_Splunk_License | *http://wiki.intern/index.php/Renew_internal_Splunk_License | ||
*Distributed search | |||
*https://infohub.delltechnologies.com/l/splunk-enterprise-on-dell-powerflex-rack-using-powerscale-1/splunk-distributed-clustered-deployment-1 | |||
[[Category:Statistic]] | [[Category:Statistic]] | ||
Revision as of 16:35, 20 March 2023
Administration
Paths
- All config specs:
ls /opt/splunk/etc/system/README
- Default conf (never use)
ls /opt/splunk/etc/system/default
- Local conf
ls /opt/splunk/etc/system/local
btool
- Check Syntax
./splunk btool check
- List server.conf / general
./splunk btool server list general
or server.conf / sslConfig
./splunk btool server list sslConfig
- See where changes come from
./splunk btool server list general --debug
- Show the script stanza form Inputs.conf
./splunk btool inputs list script
- and see wehre the change comes from
./splunk btool inputs list script --debug
- Or monitor
./splunk btool inputs list monitor
Server Commands
- Show running server.conf
./splunk show config server
/or inputs.conf
./splunk show config inputs
- Set/Show the server name
./splunk set servername splunk## ./splunk show servername
- Set/Show the default host name
./splunk show default-hostname ./splunk show default-hostname
- Add a test index to the search app
./splunk add index test -app search
- Add a receiving port to the search app
./splunk enable listen 9997 -app search
- Force reload
https://domain.com:8000/debug/refresh
Config Tracker (Splunk9+)
index = _configtracker index=_configtracker server.conf serverName
Diag
- Diag selections
These switches select which categories of information should be collected. The current components available are: index_files, index_listing, dispatch, etc, log, searchpeers, consensus, conf_replication_summary, suppression_listing, rest, kvstore, file_validate, profiler
- Sample
./splunk diag --collect=index_files,etc
Splunk Cnfiguration
server.conf
- Allow remote login when using the free license
[general] allowRemoteLogin = always
- Do not show the update information
[applicationsManagement] allowInternetAccess = false
inputs.conf
- Set the sourcetype on the forwarder machines, this is for the universal forwarder
[monitor://d:\internetbackend\log\splunk\fapi*] sourcetype = flightapi disabled = 0 [monitor://d:\internetbackend\log\splunk\ibe*] sourcetype = internetbackend disabled = 0 [monitor://d:\internetbackend\log\splunk\mnt*] sourcetype = maintenance disabled = 0 [monitor://d:\internetbackend\log\splunk\wfe*] sourcetype = webfares disabled = 0 [monitor://d:\internetbackend\log\splunk\fq*] sourcetype = farequote disabled = 0 [monitor://c:\hitchhiker\log\splunk\pg*] sourcetype = paymentgate disabled = 0
indexes.conf
- /opt/splunk/etc/apps/search/local
[security] coldPath = $SPLUNK_DB/security/colddb enableDataIntegrityControl = 0 enableTsidxReduction = 0 homePath = $SPLUNK_DB/security/db maxTotalDataSizeMB = 1024 thawedPath = $SPLUNK_DB/security/thaweddb
inputs.conf
- Server
[splunktcp://9997] queueSize = 2MB disabled = 0
Searching
Timechart
M=CB PCC=SYDXXX | timechart max(DTM) as CRSMessages span=30s
Sparkline
M=CB | stats sparkline max(DTM) as Messages by PCC
Lookups
Lookups are used to normalize data, currently there are lookups defined for:
| inputlookup airports | inputlookup airlines | inputlookup errors | inputlookup pcc
- Sample Lookup Query, Show the top bookings and show the carrier name
M=BOI earliest=-1d latest=now | stats count(AIR) as Amount by AIR | sort Amount desc, limit=20 | lookup airlines Code as AIR OUTPUT Hint | rename Hint as Carrier | fields Carrier, Amount
- Sample Lookup Query, Show the top PCCs and show the customer name
M=FAPI CMD=GetFares | top PCC showperc=f | lookup pcc PCC as PCC OUTPUT Owner,CRSName | rename Owner as Customer | fields Customer, count
Advanced Search Samples
Regex Samples
String to search:
Feb 13 14:07:02 10.0.3.30 Feb 13 14:07:02 mail mimedefang.pl[10780]: MDLOG,s1DD71da017590,mail_in,,,<support@domain.com>,<support@domain.com>,Warning Message
Regex to extract the message id:
explorer mimedefang.pl | rex field=_raw "MDLOG\,(?<MSGID>.*),mail*" | top 100 MSGID,_time | fields _time, MSGID
String to search:
Feb 13 13:59:57 10.0.3.6 Feb 13 13:59:57 neptun vsftpd[8973]: [keytravel] FTP response: Client "194.74.154.185", "226 Transfer complete."
Regex to extract the login:
host="10.0.3.6" ": [*]" FTP | rex field=_raw "(?<Login>\s{1}\[.*\])" | top Login
String to search:
Mar 5 15:07:10 10.0.3.30 Mar 5 15:07:10 mail sm-mta[15042]: s25E727n015042: Milter add: header: X-Spam-Status: Yes, score=21.8 required=5.0 tests=BAYES_99,GEO_MAIL_SEARCH,\n \tHELO_DYNAMIC_IPADDR,HTML_MESSAGE,MIME_HTML_ONLY,RCVD_IN_BL_SPAMCOP_NET,\n\tRCVD_IN_BRBL_LASTEXT,RCVD_IN_PBL,RCVD_IN_PSBL,RCVD_IN_RP_RNBL, \n\tRCVD_IN_SORBS_DUL,RCVD_IN_XBL,RDNS_DYNAMIC,SPF_NEUTRAL,URIBL_DBL_SPAM,\n\tURIBL_WS_SURBL
Regex to extract the message id:
host="10.0.3.30" "X-Spam-Status: Yes" | rex field=_raw "]: (?<MSGID>.*): Milter" | top MSGID
String to search:
M=FEEDEDF OAD=142 TOTFLIGHTFILES=71 TOTALOMAFILES=71 TOTNBRFLIGHTS=4406 TOTNBRALOMAS=6066 TOTKEYS=10614 SIZETOT=8839080 DURATION=13 TTL=432000 INFO=0 Host=VM-XC01 Job=hhh_edf_NL_2018-11-19-1349-1-90-RT.csv Code=HHH-FR-01
Regex to extract the date range (1-90):
M=FEEDEDF | rex field=_raw "Job=hhh_edf_\w+-\d+-\d+-\d+-(?<STR>.*\d*-\d*)-RT" | top STR
Regex to expand date to day, month and year, sample:
DATE=2020-01-01 ....
Regex
rex field=DATE "(?<Year>[^\-]+)\-(?<Month>[^\-]+)\-(?<Day>[^\-]+)"
Then aggregate by
stats sum(...) as Something by Month Year
Sample:
Oct 31 12:14:39 192.168.100.1 %ASA-4-106023: Deny tcp src outside:185.176.27.178/46086 dst inside:192.168.100.237/12834 by access-group "static_outside" [0x0, 0x0]
Regex:
host="192.168.100.1" | rex field=_raw "Deny tcp src outside:(?<SRC>[^\/]+).*dst inside:(?<DST>[^\/]+)\/(?<PORT>[^\s+]+)" | top SRC,DST,PORT
Sample:
Jun 3 15:29:32 192.168.100.1 %ASA-6-302013: Built inbound TCP connection 2154199512 for outside:212.19.51.190/64499 (212.19.51.190/64499) to inside:192.168.100.240/443 (146.0.228.21/443)
Regex to get a table of SRC,DST and Port
host="192.168.100.1" Built inbound TCP connection * | rex field=_raw "for outside:(?<SRC>[^\/]+)" | rex field=_raw "to inside:(?<DST>[^\/]+)\/(?<PORT>[^\s+]+)" | top 500 SRC,DST,PORT
Lookahead Sample
Records(s) to look ahead and group
Mar 5 15:34:20 10.0.3.30 Mar 5 15:34:20 spamd child[6707]: GSCORE=0 COU=ES ASN=AS12357 IP=77.230.132.146 MFROM=ibe@elegancejewelrydesigns.com MTO=ibe@hitchhiker.com MSGID=s25EYHtn016074 HELO=static-146-132-230-77.ipcom.comunitel.net IPN=1306952850 LAT=40.0000 LON=-4.0000 CTY=0 Mar 5 15:34:24 10.0.3.30 Mar 5 15:34:24 mail sm-mta[16074]: s25EYHtn016074: Milter add: header: X-Spam-Status: Yes, score=23.4 required=3.0 tests=BAYES_99,CK_HELO_GENERIC,\n\tGEO_MAIL_SEARCH,HELO_DYNAMIC_IPADDR,HTML_MESSAGE,MIME_HTML_ONLY,\n\tRAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,\n\tRCVD_IN_BL_SPAMCOP_NET,RCVD_IN_BRBL_LASTEXT,RCVD_IN_PSBL,RCVD_IN_SORBS_WEB,\n\tRCVD_IN_XBL,SPF_NEUTRAL,URIBL_BLACK,URIBL_DBL_SPAM,URIBL_JP_SURBL,\n\tURIBL_WS_SURBL autolearn=spam version=3.3.1
Query:
earliest=-1d latest=now host="10.0.3.30" "X-Spam-Status: Yes" OR GSCORE | rex field=_raw "]: (?<MSGID>.*): Milter" | transaction MSGID | search "X-Spam-Status: Yes" | top MFROM
Look to Book Chart
Show the Look to Book Ratio
- Count PCC, GetFares,BookFare
- Calculate to Ratio
- Append a trailing identifier, :1 or :0 if no bookings were made
- Lookup PCC to Wonername
- Select output Fileds
- leave the total as the last row
M=FAPI (CMD=GetFares OR (CMD=BookFare AND STAT>=0)) STAT>=0 | chart count by PCC,CMD | sort BookFare,GetFares desc | eval L2B=round(GetFares/BookFare) | eval STATBOOK=if(BookFare>0,"1","0") | eval STATGF=if(L2B>0,L2B,GetFares) | eval LookToBook=STATGF . ":" . STATBOOK | lookup pcc PCC as PCC OUTPUT Owner | fields Owner,PCC, GetFares, BookFare, LookToBook | addtotals col=t row=f labelfield=PCC
Last 50 Bookings
Show the recnt bookings
- Use top (no counting)
- Append OK or Error, if error then lookup the error code
- Lookup pcc, owner, carrier, city codes
- Rename and format fields
M=BOI earliest=-1d latest=now | top 50 _time,PCC,CRS,AIR,DEP,ARR,STAT,PAS,SEG, NET, TAX, CUR, DIST | lookup errors Code as STAT OUTPUT Description | eval STATX=if(STAT>=0,"OK", Description) | eval field-description=STAT. " = " . STATX | lookup airlines Code as AIR OUTPUT Hint | lookup pcc PCC as PCC OUTPUT Owner,CRSName | lookup airports IATA as DEP OUTPUT CityName as From | lookup airports IATA as ARR OUTPUT CityName as To | rename Hint AS Carrier | rename Owner AS Customer | rename Carrier as CarrierName | rename field-description as STATUS | fields _time, CRS,Customer, AIR, CarrierName, From, To, PAS, SEG, NET, TAX, CUR, DIST, STATUS
Revenue
Show the revenue
- Use stats for counting
- Use the new fields EURNET and EURTAX as unique currency source (available since FEB2014)
M=BOI STAT>=0 TST=0 | stats count(_time) as Bookings, sum(EURNET) as TotalFareEuro,sum(EURTAX) as TotalTAXEuro,sum(PAS) as Passenger by CRS, PCC | eval AverageFarePerPassenger=round(TotalFareEuro/Passenger) | eval AveragePassengerPerBooking=round(Passenger/Bookings) | lookup pcc PCC as PCC OUTPUT Owner,CRSName | fields CRSName, Owner, Bookings, TotalFareEuro,TotalTAXEuro,Passenger,AverageFarePerPassenger,AveragePassengerPerBooking | addtotals col=t row=f labelfield=CRSName
Transaction
Use transaction and table to map FAPI/WFE data.
TIME>20 | transaction TID | rename TIME as ResponseTime | table _time,TID,host,ResponseTime,DEP,ARR,M,SC,SS,PCC | search PCC=XXX
WebFare Searches
Search for the slowest carrier and list the errors (if any)
M=WFE SS<0 | top SC,SS
Search for W6 if the Agent Plugini is used:
M=WFE WAGTD="*W6*"
List all errors for U2 with Agent Plugin used.
M=WFE WAGTD="*U2*" SC=U2 SS<0 | top SS
List all errors for U2 with NO Agent Plugin used.
M=WFE NOT WAGTD="*U2*" SC=U2 SS<0 | top SS
List all U2 traffic with Agent Plugin used.
M=WFE WAGTD="*U2*"
Append two searches
- Use appendcols
M=FAPI FT=1 STAT=0 USR=QUNAR.PROD | stats count(CMD) as XXX | appendcols [search M=FAPI FT=1 STAT=0 USR NOT XXXX.PROD | stats count(CMD) as OTHER]
Event count
just a draft:
M=WFE | stats list(PSTAT) as PSTAT count(AIR) as total by AIR | where mvindex(PSTAT,1)="0" or mvindex(PSTAT,1)="1" M=WFE | stats list(PSTAT) as PSTAT count(AIR) as total by AIR M=WFE 0Y | stats values(PSTAT) as PSTAT count(AIR) as total by AIR
Links
- KV Store renew cert
- http://wiki.intern/index.php/Renew_internal_Splunk_License