Splunk笔记

学习Splunk Fundamentals Part 2 (IOD) 和 Splunk Fundamentals Part 1课程的笔记。

1. Chart

1. Over

2. By

3. Tips:

1. ….|chart count over host by product_name usenull=f useother=f
2. Only first value after by modifier effect

2. Timechart

1. Time is alwarys the X axis
2. Only first value after by modifier effect
3. Span=12hr
4. Use the limit option to include only the 5 best-selling products.
5. Splunk automatically calculates the top products by totaling each column and taking the top n results (n being the number you specify in your limit).
6. …|timechart count by product_name limit=0

3. Iplocation

1. …|iplocation src_ip

4. Maps

1. Marker maps
2. Choropleth maps

5. Geostats

1. …|geostats latfield=xx longfield=xx count
2. Latfield

6. Geom

1. (geom geo_us_states featureIdField=VendorStateProvince)
2. index=sales sourcetype=vendor_sales VendorID < 3000 |chart count by VendorStateProvince |geom
3. geo_us_states featureIdField=VendorStateProvince

7. Trendline

1. Wma2 weighted moving average
2. Sma simple moving average
1. Ema exponenial moving average 指数

8. Addtotals

1. Col=true
2. Label="xx"
3. Labelfield="xx"
4. Fieldname=xx
5. Row=false

9. Eval

1. Tostring format values will changing their characteristics
2. destination field for the eval command
3. already exists overwritten by the new field
4. defined in the eval command

10. Fieldformat

1. Not change chararistic

11. Search

1. index=security sourcetype=linux_secure fail* |stats count by user|search count>3 |sort -count
2. 不可以接函数，where场景更多

12. Where

1. index=network sourcetype=cisco_wsa_squid |stats count by http_content_type |eval type=if(http_content_type LIKE "image%","graphic","other")
2. No results are found because the search command cannot compare values from two different fields. (As you saw earlier, the where command can do this.)
3. … | where a>2 AND b>4

13. Lookup

14. Transaction

1. Endwith
2. Startwith
3. : The search command must be downstream from the transaction command.
4. Duration
5. Eventcount
6. Maxspan

15. Name conventions

1. Group

2. Type

3. Platform

4. Category

5. Time

6. Description

7. Tips:

1. OPS_WFA_Network_Security_na_IPwhoisAction
2. It is suggested that you name your Knowledge Objects using 6_ segmented keys.

16. Field Extractor (FX)

1. Extract your own field

2. Access FX via Settings, Fields Sidebar, or Event Action menu

3. Extraction Methods

1. Regex
2. Delimiter

17. Field Aliaes

1. A way to normalize data
2. Support multiple aliases
3. Applied after field extractions,before lookup
4. Can apply to lookup

18. Calculated

1. A caculated field must be based on an extracted or discovered field, Not from lookup table or search

19. Tags

1. Nicknames for related field/values

2. One or more tags for any field/values

3. Case Sensitiv

4. Search syntax

1. Tag=tagenam
2. Tag::filed=tagname
3. Tag=p* (partial field value)

20. Even Types

1. Categorizing events based on search
2. Tagged to group similar types of event
3. No time range
4. Can be inclued in a search sting

21. Macro

1. Store entire search strings
2. Time range independent
3. Pass arguments to the search
4. Expanding search ctr+shift+e

22. Workflow

1. Get workflow
2. Post workflow
3. Search workflow

23. Knowledge Object

24. Data Models

1. Data model is structured datasets

2. 3 types dataset

1. Events
2. Searchs
3. Transacitons

3. Acceleration

25. Events Dataset

1. Constraints
2. Fields

26. Dataset field

1. Auto-extractd

1. Field type

1. String
2. Number
3. Boolean
4. IPV4

2. Field flags

1. Optional
2. Required
3. Hidden
4. Hidden & required

2. Eval expression

3. Lookup

4. Regular expression

5. Geo ip

27. Pivot

1. Used for creating reports and dashboards, which are based on dataset

28. CIM Add-on ( Common Information Model)

1. Normalize data
2. Easier correlation data
3. Object permission

29. Datamodel command

1. |datamodel Web Web search |fields web*