Splunk ①

搜索剖析

基础

词汇大小写不敏感

index=main brookings

区分大小写：index=main CASE(Brookings)

关键字大小写敏感

搜索and：index=main brookings and 132km
AND是关键字：index=main brookings AND 132km

字符串括起来

错误

index=main OR
index=main (
index=main |
index=main []
index=main =

正确

index=main OR
index=main (
index=main |
index=main []
index=main =

字段判断

字段名大小写敏感

能搜到：index=main JSESSIONID=SD6SL7FF7ADFF53113
能搜到（=前后有空格）：index=main JSESSIONID = SD6SL7FF7ADFF53113
搜不到：index=main jsessionid=SD6SL7FF7ADFF53113

字段存在

正确：index=main status=*
错误：index=main status

字段不存在

正确：index=main NOT status=
错误1：index=main NOT status
错误2： index=main status!=

字段值不为空

正确：index=main status=* NOT status=””
错误1：index=main NOT status””
错误2：index=main status NOT status=””

字段值为空

index=main itemId=””

搜索基础

多个关键搜索

A B vs B A

可以搜到：index=main JSESSIONID=SD10SL8FF5ADFF31078 like Gecko
也可以搜到：index=main JSESSIONID=SD10SL8FF5ADFF31078 Gecko like

“A B” vs “B A”

能搜到：index=main JSESSIONID=SD10SL8FF5ADFF31078 “like Gecko”
能搜到： index=main JSESSIONID=SD10SL8FF5ADFF31078 (Gecko like)
搜不到：index=main JSESSIONID=SD10SL8FF5ADFF31078 “Gecko like”

A B vs A OR B

能搜到：index=main JSESSIONID=SD10SL8FF5ADFF31078 739 OR 525
搜不到：index=main JSESSIONID=SD10SL8FF5ADFF31078 739 525

通配符匹配

匹配0到多个字符

index=main source=”tutorialdata.zipwww1/access.log” 648
前中后，且支持多个:
index=main source=”tutorialdata.zip:./www1/access.log” Appkt
匹配特殊字符
当匹配开头结尾是特殊字符时，不如预期
能搜到：
index=main source=”tutorialdata.zipwww1/access.log” productId=S01
index=main source=”tutorialdata.zipwww1/access.log” productId=S1
搜不到：
index=main source=”tutorialdata.zipwww1/access.log” productId=SF1
index=main source=”tutorialdata.zipwww1/access.log” productId=SG01

表达式评估

index=main source=”tutorialdata.zipwww1/access.log” 739 OR 525 1931 OR 704
等价于
index=main source=”tutorialdata.zipwww1/access.log” (739 OR 525) (1931 OR 704)
index=main AND source=”tutorialdata.zip*www1/access.log” AND (739 OR 525) AND (1931 OR 704)

字段类型

范围：index=main status>200 status<500
数值与文本比较：index=main status > 500

【反直觉】NOT vs !=

!=必须存在

字段status必须存在：index=main status!=200

NOT必须存在

字段status可以不存在：index=main NOT status=200

特例（判断字段存在）

正确：index=main NOT status=
错误（永远无匹配）： index=main status!=

Search vs. Where

搜索2个字段值相同

错误：index=main source=”tutorialdata.zipwww1/access.log” status=bytes`
正确：index=main source=”tutorialdata.zipwww1/access.log” | where status=bytes

宽(-)字符匹配特殊字符

错误：index=main source=”tutorialdata.zipwww1/access.log” productId=SF1
正确：index=main source=”tutorialdata.zipwww1/access.log” | where like(productId, “SF%1”)
表达式计算：
status是100倍数的：
错误：index=main status%100=0
正确：index=main status= | where status%100=0
评估顺序：
index=main status= | where isnum(status) and status>=500 or status=404
等价于
index=main status= | where (isnum(status) and status>=500) or status=404

排序

最近发生的前10条错误日志

index=main source=”tutorialdata.zip*www1/access.log” | sort 10 -status
sort 0 取消限制。字段前面加-号：降序。默认为+号：升序。

最早发生的前10条错误日志

index=main source=”tutorialdata.zip*www1/access.log” | sort 10 -status _time
_time:是一个字段。

字段类型排序

文本优先：index=main | sort 10 -status
数字优先：index=main | sort 10 -num(status)

分词

分词符

可以搜索到：
index=main JSESSIONID=SD10SL8FF5ADFF31078 KHTML, Like
顺序不重要：
index=main JSESSIONID=SD10SL8FF5ADFF31078 Like, KHTML
分词符可以省略：
index=main JSESSIONID=SD10SL8FF5ADFF31078 KHTML Like
分词符还是需要匹配：
index=main JSESSIONID=SD10SL8FF5ADFF31078 KHTML& Like

双引号

精准匹配
可以搜出：index=main JSESSIONID=SD10SL8FF5ADFF31078 “KHTML Like”
搜不出来：index=main JSESSIONID=SD10SL8FF5ADFF31078 “KHTML Like””

主副分词符

主分词符不讲究顺序

index=main JSESSIONID=SD10SL8FF5ADFF31078 like Gecko
index=main JSESSIONID=SD10SL8FF5ADFF31078 Gecko like

副分词符，都可以搜出来

index=main JSESSIONID=SD10SL8FF5ADFF31078 Safari/536.5
index=main JSESSIONID=SD10SL8FF5ADFF31078 Safari/536
index=main JSESSIONID=SD10SL8FF5ADFF31078 Safari
index=main JSESSIONID=SD10SL8FF5ADFF31078 536.5 Safari
搜不出来；index=main JSESSIONID=SD10SL8FF5ADFF31078 Safari/53
搜不出来；index=main JSESSIONID=SD10SL8FF5ADFF31078 536.5/Safari

精准副词搜索

可以搜出来：index=main JSESSIONID=SD10SL8FF5ADFF31078 TERM(Safari/536.5)
搜不出来：index=main JSESSIONID=SD10SL8FF5ADFF31078 TERM(Safari/536)

搜索时间

绝对时间（左闭右开）

某一秒（03/28/2020:18:20:54）发生的事件

错误：index=main source=”tutorialdata.zipwww1/access.log” earliest=”03/28/2020:18:20:54” latest=”03/28/2020:18:20:54”
正确：index=main source=”tutorialdata.zipwww1/access.log” earliest=”03/28/2020:18:20:54” latest=”03/28/2020:18:20:55”

相对时间

1小时内的日志：index=_internal earliest=-1h

相对时间对齐

三周前的工作日的事件

w0表示周日（蛤？）
index=main source=”tutorialdata.zipwww1/access.log” earliest=-3w@w1 latest=-2w@w6
index=main source=”tutorialdata.zipwww1/access.log” action=purchase (earliest=-21d@d+7h latest=-21d@d+10h) OR (earliest=-21d@d+16h latest=-21d@d+19h) | stats count

上一个小时的日志

index=_internal earliest=-1h@ latest=@h

昨天的日志总数

index=_internal earliest=-1d@ latest=@d

评估函数

计算新字段

传输的KB大小

index=main source=”tutorialdata.zip*www1/access.log” | eval bytes_kb = round(bytes/1000,2)

与统计字段结合使用

统计状态是404错误的日志类型

index=main | stats count(eval(status=”404”)) as count_status by sourcetype

字段值拼接

正确：index=main source=”tutorialdata.zipwww1/access.log” | eval action_dsc=action.productId
不推荐（数字时与预期不一样）：index=main source=”tutorialdata.zipwww1/access.log” | eval action_dsc=action+productId

依赖

index=main source=”tutorialdata.zip*www1/access.log” | eval bytes_kb = round(bytes/1024, 2), bytes_kb_desc = bytes_kb.” KB”

复杂组合计算

domain地址拆分：index=main source=”tutorialdata.zipwww1/access.log” | eval addr=split(referer_domain,”.”), domain=mvindex(addr,-1), location=if(match(domain, “[^\n\r\s]+.(com|net|org)”), “local”, “abroad”) | stats count BY location
index=main source=”tutorialdata.zipwww1/access.log” | eval product_ser = split(productId, “-“), prd_c1=mvindex(product_ser, 0), prd_c2= mvindex(product_ser, 1), prd_c3=mvindex(product_ser, 2) | fields - product_ser

Splunk②

子查询

访问最多的客户端的事件

index=main source=*access* [search index=main source=*access* | top 1 clientip showcount=false showperc=false]

错误访问最多的5个uri的访问趋势

index=main source=*access* [search index=main source=*access* status >= 400 | top 5 uri_path showcount=false showperc=false] | timechart span=1d count

全文匹配

包含访问最多文件名文本的所有事件

index=main source=*access* [search index=main source=*access* status >= 400 | top 1 file showcount=false showperc=false | rename file as search ]

嵌套

找出出错最多的客户端IP或URL，获得他们的所有事件

index=main source=*access* [search index=main source=*access* | top 1 clientip showcount=false showperc=false ] OR [search index=main source=*access* status >= 400 | top 1 uri_query showcount=false showperc=false]

Top20产品的前5个买手的购买时间规律

index=main source="tutorialdata.zip*www1/access.log" [search index=main source="tutorialdata.zip*www1/access.log" action=purchase [search index=main source="tutorialdata.zip*www1/access.log" action=purchase | top 20 productId showcount=false showperc=false] | top 5 clientip showcount=false showperc=false] | stats count by date_hour | sort num(date_hour)

买的最多的买家，他去对卖的最多的产品的访问日志

index=main source=access [search index=main source=access action=purchase | top 1 productId showcount=false showperc=false] [search index=main source=access action=purchase | top 1 clientip showcount=false showperc=false]

买的最多的买家的访问日志（但是排除掉卖的最多的这个产品）

index=main source=access NOT [search index=main source=access action=purchase | top 1 productId showcount=false showperc=false] [search index=main source=access action=purchase | top 1 clientip showcount=false showperc=false]

统计表格

stats

一维多列

统计PV、UV

source="access" | stats count as pv, distinct_count(clientip) as uv

二维多列

统计各个网站Refere站点的GET/Post数量

source="access" | stats count(eval(method="GET")) AS GET, count(eval(method="POST")) AS POST BY referer_domain

带图

购买统计与趋势

source="access" | stats count, sparkline(count) as sparkline by action | sort -count
index=main source="access" | stats count, sparkline(count, 1h) as sparkline by action | sort -count

timechart

统计每日UV访问趋势

index=main source=access| timechart dc(clientip) AS unique_visitors
index=main source="access" | timechart span=1d count as pv, dc(clientip) as uv

统计3周前的第一个工作日的PV和UV访问趋势

index=main source="tutorialdata.zip*www1/access.log" | timechart span=1h dc(clientip) AS uv, count as pv

// earliest=-3w@w1 latest=-3w@w2

Top, rare

购买最多的客户端

index=main source="*access*" action=purchase | top 1 clientip showcount=false showperc=false

购买最少的商品

index=main source="*access*" action=purchase | rare 1 productId

Event/StreamStat

购买Top10的商品，每一行加上前10的总数

source=access action=purchase | top productId | eventstats sum(count) as totalcount

给每一行加上编号

source=*access* action=purchase | top productId | eventstats sum(count) as totalcount | streamstats count as "#" | fields "#", productId, *

404错误累计错误数量

source=*access* action=purchase | top productId | eventstats sum(count) as totalcount | streamstats count as "#" | fields "#", productId, *

用stats实现top

index=main source="*access*" productId=* | stats count by productId | eventstats sum(count) as totalcount | eval percent = round(count/totalcount*100 , 2)."%" | fields - totalcount | sort -count | head 5

index=main source="access" productId= | join [search index=main source="access" productId= | top 5 productId showcount=false showperc=false | stats values(productId) as top5 ] | eval productId=if(like(top5, "%".productId."%"), productId, "OTHERS") | stats count by productId | eventstats sum(count) as totalcount | eval percent = round(count/totalcount*100 , 2)."%" | fields - totalcount | sort -count | head 5

基础补充

命令调用

bool参数

index=main source=access | top clientip showperc=f

参数分隔符

index=main source=access | top clientip method

Eval函数

不存在的值

null值会被忽略：

index=main source=*access* | eval k1=null()

同理：

index=main source=access | eval k1=typeof(coalesce(xxx, yyy))

去除字段：

index=main | eval status=if(isnum(status), status, null())

Bool值不能赋值

错误：index=main source=access | eval result=like(productId, “WC%”)
正确1：index=main source=access | eval result=if(like(productId, “WC%”), “Yes”, “No”)
正确2: index=main source=access | eval result=tostring(isnull(productId))

类型判断

判断数字

| makeresults 1 | eval k1=100, k2="100", k3=-100, result=tostring(isint(k1)).tostring(isint(k2)).tostring(isint(k3))

注意：字段本质没有类型，都是字符串，用isint后尝试类型转换后判断。

判断字符

| makeresults 1 | eval k1=100, k2="100", result=tostring(isstr(k1)).tostring(isstr(k2))

布尔值判断

| makeresults 1 | eval k1=100, k2="100", result=tostring(isstr(k1)).tostring(isstr(k2))

字段判断

字段是否存在

错误1： index=main source=access | eval result=isnull(field1)
错误2：index=main | eval result=if(status==null(), “not exist”, “exist”)
错误3：| makeresults 1 | eval f1=100, f2=”xxx”, f3=”” | eval result=if(f1==”“, “not null.”, “null”)
正确1：| makeresults 1 | eval f1=100, f2=”xxx”, f3=”” | eval result=if(isnull(f1), “null.”, “not null.”).if(isnull(f2), “null.”, “not null.”).if(isnull(f3), “null.”, “not null.”).if(isnull(f4), “null.”, “not null.”)
正确2：| makeresults 1 | eval f1=100, f2=”xxx”, f3=”” | eval result=if(not isnull(f1), “meet.”, “not meet.”).if(not isnull(f2), “meet.”, “not meet.”).if(not isnull(f3), “meet.”, “not meet.”).if(not isnull(f4), “meet.”, “not meet.”)
正确3： | makeresults 1 | eval f1=100, f2=”xxx”, f3=”” | eval result=if(searchmatch(“f1=“), “meet.”, “not meet.”).if(searchmatch(“f2=“), “meet.”, “not meet.”).if(searchmatch(“f3=“), “meet.”, “not meet.”).if(searchmatch(“f4=“), “meet.”, “not meet.”)
正确4：| makeresults 1 | eval result=coalesce(status, “default”)
*相对于有isnotnull。

字段存在且为空

正确1：| makeresults 1 | eval f1=100, f2=”xxx”, f3=”” | eval result=if(f1==””, “meet.”, “not meet.”).if(f2==””, “meet.”, “not meet.”).if(f3==””, “meet.”, “not meet.”).if(f4==””, “meet.”, “not meet.”)
其中：==可以换成=
正确2：| makeresults 1 | eval f1=100, f2=”xxx”, f3=”” | eval result=if(searchmatch(“f1=”””), “meet.”, “not meet.”).if(searchmatch(“f2=”””), “meet.”, “not meet.”).if(searchmatch(“f3=”””), “meet.”, “not meet.”).if(searchmatch(“f4=”””), “meet.”, “not meet.”)
错误：| makeresults 1 | eval f1=100, f2=”xxx”, f3=”” | eval result=if(searchmatch(“f3==”””), “meet.”, “not meet.”)
注意：不能使用==

字段存在且不为空

正确1：| makeresults 1 | eval f1=100, f2=”xxx”, f3=”” | eval result=if(f1!=””, “meet.”, “not meet.”).if(f2!=””, “meet.”, “not meet.”).if(f3!=””, “meet.”, “not meet.”).if(f4!=””, “meet.”, “not meet.”)
正确2：| makeresults 1 | eval f1=100, f2=”xxx”, f3=”” | eval result=if(not f1==””, “meet.”, “not meet.”).if(not f2==””, “meet.”, “not meet.”).if(not f3==””, “meet.”, “not meet.”).if(not f4==””, “meet.”, “not meet.”)
正确3：| makeresults 1 | eval f1=100, f2=”xxx”, f3=”” | eval result1=nullif(f1, “”), result2=nullif(f2, “”), result3=nullif(f3, “”), result4=nullif(f4, “”)
nullif：用于忽略特定值返回原值

返回第一个存在值得字段

coalesce选择第一个存在的字段(哪怕值为空)，不存在返回null()：

| makeresults 1 | eval k1=100, k2="100", result=tostring(isstr(k1)).tostring(isstr(k2))

返回第一个存在且值不为空字段

| makeresults 1 | eval k1=100, k2="100", result=tostring(isstr(k1)).tostring(isstr(k2))

不存在的字段，比较时，默认都不满足条件

index=main | eval f1=100, f2="xxx", f3="" | eval result=if(f4=="", "meet.", "not meet.").if(f4!="", "meet.", "not meet.")

case/validate

字段简单富化

index=main | eval status_desc=case(isnull(status), "Unknown: Empty", not isnum(status), "Unknown: invalid value: ".status, status>=500, "Internal Error", stauts >= 400, "Authentication Error", status >= 300, "Redirect Error", status >= 200, "Success", true(), "Unknown: out of range: ".status)

注意：一般使用true()做默认值。

validate的行为与case相反，第一个False的先返回

字符串匹配

最基本匹配:=， ==, !=

index=main | eval result=status.": ".if(status=400, "**AUTH**", "other")

多个值匹配: in

index=main | eval f1="error" | eval result=if(in(f1, "failed", "invalid", "unkonwn", "error"), "failed", "success")

模式匹配: like

index=main | eval result=status.": ".if(like(status, "4%"), "AUTH", "other")

注意: _表示单个字符

正则匹配： match

index=main | eval result=status.": ".if(like(status, "4%"), "AUTH", "other")

时间格式化

时间对齐

index=main source=*access* | eval result=strftime(relative_time(_time, "+1d"), "%Y-%m- %dT%H:%M:%S.%Q")

高级搜索

正则表达式

regex过滤

局部匹配

index=main source="*access*" | regex productId="S.+G01"

完整匹配

index=main source="access" | regex productId="^S.+G01$"

replace操作

index=main source=*access* productId=* | eval productId_new = replace(productId, "(\w+)-(\w+)-(\w+)", "\2-\3-\1") | table productId, productId_new

Rex提取

命名匹提取

index=main source="access" | rex field=productId "(?\w+)-(?\w+)-(?\w+)"

多值提取

| makeresults 1 | eval k1="123 456 789" | rex field=k1 "(?\d+)" max_match=0

常见案例

<test>123</test> <test>456</test>
<test>.+</test>
| makeresults 1 
|  eval s = "xxx yyy@yahoo.com" 
| rex field=s "(?P<user>\w+)@(?P<company>\w+)\.com"
index=main source=*access* productId=*
|  rex field=productId "(?P<type1>\w+)-(?P<type2>\w+)-(?P<type3>\w+)" 
| rex field=_raw "HTTPS?\s+(?P<http_version>\d+\.\d+)"
wangxiao@163.com
  wanglao@163.com
  163@163.com
  qq@qq.com
  yahoo@yahoo.com
  (\w+)@\1.com
| makeresults 1 
|  eval s = "xxx yyy@yahoo.com.cn" 
| rex field=s "(?P<user>\w+)@(?P<company>\w+\.(?:com|cn)(?:\.cn)?)"
| makeresults 1 
|  eval s = "xxx yyy@yahoo.COM.cn" 
| rex field=s "(?i)(?P<user>\w+)@(?P<company>\w+\.(?:com|cn)(?:\.cn)?)"

KV键值对

| makeresults 1 | eval _raw="k1=v1 k2=v2 k3=v3" | extract kvdelim=" " pairdelim="="

XML操作

简单KV提取操作

| makeresults 1 | eval _raw="<student1>xiaoming</student1><student2>xiao wang</student2>" | xmlkv maxinputs=10000

XPATH提取

提取属性

| makeresults 1 | eval val=" <bar nickname="spock"><bar nickname="scotty"><bar nickname="bones">" | xpath field=val outfield=name "//bar/@nickname"

提取值

| makeresults 1 | eval val" <bar nickname="spock">abc<bar nickname="scotty">xyz<bar nickname="bones">zzz" | xpath field=val outfield=name "//bar"

| makeresults 1 | eval val="<b name="xxxx">123" | xpath field=val outfield=name "//b/@name"

选择特定item提取

| makeresults 1 | eval val=" <bar nickname="spock">abc<bar nickname="scotty">xyz<bar nickname="bones">zzz" | xpath field=val outfield=name "//bar[@nickname='spock']"

spath提取

| makeresults 1 | eval val=" <bar nickname="spock">abc<bar nickname="scotty">xyz<bar nickname="bones">zzz" | spath input=val output=name path=foo.bar

| makeresults 1 | eval val="123456" | spath input=val output=name "a.b"

JSON 提取

按路径提取属性

| makeresults 1 | eval val="{"name": "xiaoming", "books": ["c++", "splunk"], "address": {"city": "shanghai", "distinct": "pudong"} }" | spath input=val output=name path=address.city | table name

数组提取

| makeresults 1 | eval val="{"name": "xiaoming", "books": ["c++", "splunk"], "address": {"city": "shanghai", "distinct": "pudong"} }" | spath input=val output=book path=books{} | table book

| makeresults 1 | eval val="{"age": [10, 28] }" | spath input=val output=age "age{}"

| makeresults 1 | eval val="{"age": [{"home":"nanjing"}, {"home": "shanghai"}] }" | spath input=val output=age "age{}.home"

数组路径深度提取

| makeresults 1 | eval val="{"name": "xiaoming", "books": ["c++", "splunk"], "address": {"city": "shanghai", "distinct": "pudong"}, "family": [{"name": "xiao xiao ming"}, {"name": "kelly"} ] }" | spath input=val output=family path=family{}.name | table family

多值提取与实践分裂

| makeresults 1 | eval val="[{"age":3,"name":"xiao ming"},{"age":28,"name":"kelly"}]" | spath input=val output=name path={}.name | spath input=val output=age path={}.age | eval combine=mvzip(name, age) | table combine | mvexpand combine | eval ss = split(combine, ","), name=mvindex(ss, 0), age=mvindex(ss, 1) | table name, age

| makeresults 1 | eval val=split("x1,x2,z3", ",") , v2=split("t1,t2,t3", ",") | eval val_3 = mvzip(val, v2) | mvexpand val_3 | makemv delim="," val_3 | fields val_3 | eval v1=mvindex(val_3, 0), v2=mvindex(val_3, 1)

查找异常

高级图表：chart vs timechart vs stats

stats

标准group-by

sourcetype=access_* | stats avg(other) as resp, count by productId, action

X轴: by，支持多个
Y轴（统计值）: f1, f2, ….

支持：多对多，结构静态

支持3+维度X轴

sourcetype=access_* | stats avg(other) as resp, count by productId, action, itemId

默认5,000

chart

单个X，与stats一样

sourcetype=access_* | chart avg(other) as resp, count by productId

多X轴，动态展开Y轴

index=main source=*access* productId=* action=* | chart count, avg(bytes) by action, productId

by X轴，动态展开Y轴*统计函数

支持：一对多，Y轴动态

等价于：

index=main source=access productId= action= | chart count, avg(bytes) over action by productId

over X轴 by 动态展开Y轴*统计函数
合法：

sourcetype=access_* | chart eval(sum(bytes)/1024) as s1

错误：

sourcetype=access_* | stats eval(sum(bytes)/1024) as s1

timechart

index=main source=access productId= action= | timechart span=1d count, avg(bytes) by action

自动X轴（Span）时间
by 动态Y轴*统计函数

支持：一对多，X时间，Y轴动态

默认span设定

| Time range | Default span | | :-------------- | :----------- | | Last 15 minutes | 10 seconds | | Last 60 minutes | 1 minute | | Last 4 hours | 5 minutes | | Last 24 hours | 30 minutes | | Last 7 days | 1 day | | Last 30 days | 1 day | | Previous year | 1 month |

index=main source=access productId= action= earliest="03/22/2020:00:00:00" latest="03/23/2020:00:00:00" | timechart count by action

统计函数

计算UV

distinct_count vs estdc

index=main | stats dc(clientip) as f1, estdc(clientip) as f3

计算分位

sourcetype=access_* | stats min(other), max(other), perc0(other), perc99(other), perc95(other) by action.upperperc（不知道能不能这样）

list vs values

sourcetype=access_* | head 10 | stats list(action), values(action)

Eval

index=main source=access | stats count(eval(isnotnull(productId) and status=400)) as value, count as total

Join

Union

合并实践，使用Append合并实践

| makeresults 1 | eval s1 = "test1" | append [ makeresults 1 | eval s1="test2"]

合并多个

| makeresults 1 | eval s1 = "test1" | union [ makeresults 1 | eval s1="test2"] [ makeresults 1 | eval s1="test3"]

类型

Left/Right/Self Join

使用join构建top+others

index=main source=access | join type=left clientip [search index=main source=access | top 10 clientip showperc=f | streamstats count as rank ] | eval clientip=if(rank>=1, clientip, "others"), rank=coalesce(rank, 11) | stats count by clientip, rank | sort by rank | table clientip, count

lookup

查看lookup

| inputlookup geo_attr_countries

使用lookup

index=main source=access | top clientip showperc=f | iplocation clientip | table clientip, count, City, Country | lookup geo_attr_countries country as Country OUTPUT iso2

index=main source=access | top clientip showperc=f | iplocation clientip | table clientip, count, Country | lookup geo_attr_countries country as Country OUTPUT continent

构建lookup

index=main source=access | top 10 clientip showperc=f | outputlookup top10clientip.csv

使用

index=main source=access | top 11 clientip showperc=f showcount=f | lookup top10clientip clientip OUTPUT count

事务

一般性事务

sourcetype=access_* | transaction JSESSIONID clientip startswith="view" endswith="purchase" | where duration>0

额外属性 duration，eventcount
maxevents: 默认最大1000条内容汇集。

卖的最快的Top10 产品

sourcetype=access_* | transaction JSESSIONID clientip startswith="view" endswith="purchase" | stats avg(duration) as du, count by productId | sort du

高级事务

最慢恢复的访问记录

sourcetype=access_* | transaction JSESSIONID clientip startswith=status>=400 endswith=status<400| search duration>5

数据集处理

untable

sourcetype=access_* | stats count, min(bytes), max(bytes) by action

X-Y1-Y2-Y3

改成三元组

sourcetype=access_* | stats count, min(bytes), max(bytes) by action | untable action, type, value

xyseries

三元组Pivot化

sourcetype=access_* | stats count, min(bytes), max(bytes) by action | untable action, type, value | xyseries action type value

stats vs chart

sourcetype=access_* | stats count by action, status | xyseries action status count

等价于

sourcetype=access_* | chart count by action, status

补齐

sourcetype=access_* | head 10 | fillnull value="Unknown" productId, itemId, xxx

可视化案例

单值图

index=_internal source="*splunkd.log" log_level="info" | timechart count

地图

index=main source=access | stats count by clientip | sort-count | head 10 | iplocation clientip | geostats count by Country latfield=lat longfield=lon

面积图

index= sourcetype=access* latest=03/28/2020:23:59:59 | timechart count(eval(method="GET")) AS GET,count(eval(method="POST")) AS POST

预测图

index=internal sourcetype="*access*" | timechart count(bytes) as traffic | streamstats sum(traffic) as total_traffic | predict total_traffic as expected_traffic algorithm=LLT future_timespan=14 | fields time, total_traffic, expected_traffic

今日昨日对比图

index=main source=access earliest="03/25/2020:00:00:00" latest="03/26/2020:00:00:00" | timechart span=1h count as pv | streamstats count as num | join [search index=main source=access earliest="03/24/2020:00:00:00" latest="03/25/2020:00:00:00" | timechart span=1h count as pv_yesterday | streamstats count as num ] | fields - num

SparklLine

index=main sourcetype="access" | chart count sparkline(count, 1h) by status

Token

index=training source=access action=$action_token$ | timechart span=1d count

完整的图表XML

<dashboard theme="light">
  <label>仪表盘汇总</label>
  <row>
    <panel>
      <title>单值图</title>
      <single>
        <search>
          <query>index=_internal source="*splunkd.log" log_level="info" | timechart count span=1d</query>
          <earliest>1620187200</earliest>
          <latest>1620576000</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="colorBy">trend</option>
        <option name="colorMode">none</option>
        <option name="drilldown">none</option>
        <option name="numberPrecision">0</option>
        <option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
        <option name="rangeValues">[0,30,70,100]</option>
        <option name="refresh.display">progressbar</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
        <option name="trendColorInterpretation">inverse</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="trendInterval">-1h</option>
        <option name="unitPosition">after</option>
        <option name="useColors">1</option>
        <option name="useThousandSeparators">1</option>
      </single>
    </panel>
    <panel>
      <title>简单单值</title>
      <single>
        <search>
          <query>index=_internal source="*splunkd.log" log_level="info" | stats count</query>
          <earliest>@d</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="colorBy">trend</option>
        <option name="colorMode">block</option>
        <option name="drilldown">none</option>
        <option name="numberPrecision">0</option>
        <option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
        <option name="rangeValues">[0,30,70,100]</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
        <option name="trendColorInterpretation">inverse</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="trendInterval">-1h</option>
        <option name="unitPosition">after</option>
        <option name="useColors">1</option>
        <option name="useThousandSeparators">1</option>
      </single>
    </panel>
    <panel>
      <title>访问PV vs 前2天</title>
      <single>
        <search>
          <query>index=_internal  source="*splunkd_access.log" earliest=-2d@d   | timechart  span=1d count</query>
          <earliest>0</earliest>
          <latest></latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="colorBy">trend</option>
        <option name="colorMode">none</option>
        <option name="drilldown">none</option>
        <option name="numberPrecision">0</option>
        <option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
        <option name="rangeValues">[0,30,70,100]</option>
        <option name="refresh.display">progressbar</option>
        <option name="showSparkline">0</option>
        <option name="showTrendIndicator">1</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">percent</option>
        <option name="trendInterval">-2d</option>
        <option name="unitPosition">after</option>
        <option name="useColors">1</option>
        <option name="useThousandSeparators">0</option>
      </single>
    </panel>
  </row>
  <row>
    <panel>
      <title>地图点</title>
      <map>
        <search>
          <query>index=main source=*access* 
| stats count by clientip 
|  sort-count 
|  head 10 
|  iplocation clientip 
|  geostats count by Country latfield=lat longfield=lon</query>
          <earliest>0</earliest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="drilldown">none</option>
        <option name="mapping.choroplethLayer.colorBins">5</option>
        <option name="mapping.choroplethLayer.colorMode">auto</option>
        <option name="mapping.choroplethLayer.maximumColor">0xaf575a</option>
        <option name="mapping.choroplethLayer.minimumColor">0x62b3b2</option>
        <option name="mapping.choroplethLayer.neutralPoint">0</option>
        <option name="mapping.choroplethLayer.shapeOpacity">0.75</option>
        <option name="mapping.choroplethLayer.showBorder">1</option>
        <option name="mapping.data.maxClusters">100</option>
        <option name="mapping.legend.placement">bottomright</option>
        <option name="mapping.map.center">(0,0)</option>
        <option name="mapping.map.panning">1</option>
        <option name="mapping.map.scrollZoom">0</option>
        <option name="mapping.map.zoom">2</option>
        <option name="mapping.markerLayer.markerMaxSize">50</option>
        <option name="mapping.markerLayer.markerMinSize">10</option>
        <option name="mapping.markerLayer.markerOpacity">0.8</option>
        <option name="mapping.showTiles">1</option>
        <option name="mapping.tileLayer.maxZoom">7</option>
        <option name="mapping.tileLayer.minZoom">0</option>
        <option name="mapping.tileLayer.tileOpacity">1</option>
        <option name="mapping.type">marker</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </map>
    </panel>
    <panel>
      <title>top referer</title>
      <chart>
        <search>
          <query>index="*" sourcetype=*access*
| top referer_domain
| fields referer_domain count</query>
          <earliest>0</earliest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.abbreviation">none</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.abbreviation">none</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.abbreviation">none</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">bar</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.lineWidth">2</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Get-Post分布</title>
      <chart>
        <search>
          <query>index=* sourcetype=*access* latest=03/28/2020:23:59:59
| timechart count(eval(method="GET")) AS GET,count(eval(method="POST")) AS POST</query>
          <earliest>0</earliest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.abbreviation">none</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.abbreviation">none</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.abbreviation">none</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">area</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.lineWidth">2</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </chart>
    </panel>
    <panel>
      <title>流量累计预测</title>
      <chart>
        <search>
          <query>index=* sourcetype="*access*"
| timechart count(bytes) as traffic
| streamstats sum(traffic) as total_traffic
| predict total_traffic as expected_traffic algorithm=LLT future_timespan=14
| fields _time, total_traffic, expected_traffic</query>
          <latest>1585411200</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.abbreviation">none</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.abbreviation">none</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.abbreviation">none</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">top</option>
        <option name="charting.lineWidth">2</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>今日昨日访问趋势对比</title>
      <chart>
        <search>
          <query>index="_internal" source="*splunkd_access.log" earliest="05/09/2021:00:00:00"
|  timechart span=1h count as pv 
|  streamstats count as num
|  join 
    [search index="_internal" source="*splunkd_access.log" earliest="05/08/2021:00:00:00" latest="05/09/2021:00:00:00" |  timechart span=1h count as pv_yesterday |  streamstats count as num
        ] 
|  fields - num</query>
          <latest>1585411200</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.abbreviation">none</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.abbreviation">none</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.abbreviation">none</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">line</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">top</option>
        <option name="charting.lineWidth">2</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </chart>
    </panel>
    <panel>
      <title>Spark Line</title>
      <table>
        <search>
          <query>index=* sourcetype="*access*"
| stats count(status) as count sparkline(count) by status</query>
          <latest>1585324800</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>访问者Top8</title>
      <chart>
        <search>
          <query>index=main source=*access* 
| top 8 clientip useother=true</query>
          <earliest>0</earliest>
          <latest></latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.abbreviation">none</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.abbreviation">none</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.abbreviation">none</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">pie</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.lineWidth">2</option>
        <option name="refresh.display">progressbar</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>错误访问最多的5个uri的访问趋势</title>
      <chart>
        <search>
          <query>index=main source=*access* 
    [search index=main source=*access* status &gt;= 400
    |  top 5 uri_path showcount=false showperc=false] 
|  timechart span=1d count</query>
          <earliest>0</earliest>
          <latest></latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.abbreviation">none</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.abbreviation">none</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.abbreviation">none</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">line</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.lineWidth">2</option>
        <option name="refresh.display">progressbar</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <chart>
        <search>
          <query>index=main source="*access*"   | timechart span=1h dc(clientip) AS uv, count as pv</query>
          <earliest>0</earliest>
          <latest></latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.abbreviation">none</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.abbreviation">none</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.abbreviation">none</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">line</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.lineWidth">2</option>
        <option name="refresh.display">progressbar</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <single>
        <search>
          <query>index=main source="*access*" | stats count as pv, distinct_count(clientip) as uv, count(eval(status&gt;=400)) as fail_pv, count(eval(action="purchase")) as purchase_pv</query>
          <earliest>0</earliest>
          <latest></latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="colorBy">value</option>
        <option name="colorMode">none</option>
        <option name="drilldown">none</option>
        <option name="numberPrecision">0</option>
        <option name="rangeColors">["0x006d9c","0xf1813f","0x53a051"]</option>
        <option name="rangeValues">[0,1000]</option>
        <option name="refresh.display">progressbar</option>
        <option name="showSparkline">1</option>
        <option name="showTrendIndicator">1</option>
        <option name="trellis.enabled">1</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
        <option name="trendColorInterpretation">standard</option>
        <option name="trendDisplayMode">absolute</option>
        <option name="unitPosition">after</option>
        <option name="useColors">1</option>
        <option name="useThousandSeparators">1</option>
      </single>
    </panel>
  </row>
  <row>
    <panel>
      <chart>
        <search>
          <query>source="*access*" | stats count(eval(method="GET")) AS GET, count(eval(method="POST")) AS POST BY referer_domain</query>
          <earliest>0</earliest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.abbreviation">none</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.abbreviation">none</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.abbreviation">none</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">stacked</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.lineWidth">2</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <chart>
        <search>
          <query>index=main source="*access*" 
|  timechart span=1d count as pv dc(clientip) as uv</query>
          <earliest>0</earliest>
          <latest></latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.abbreviation">none</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.abbreviation">none</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.abbreviation">none</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">stacked</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.lineWidth">2</option>
        <option name="refresh.display">progressbar</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <chart>
        <search>
          <query>sourcetype=access_* status &gt; 200
|  eval bytes2=bytes%3, other=round(other/100, 0)
|  head 10  | stats avg(bytes) by action, status, bytes2</query>
          <earliest>0</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.abbreviation">none</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.abbreviation">none</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.abbreviation">none</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">bubble</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.lineWidth">2</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </chart>
    </panel>
  </row>
</dashboard>

联动XML

<form theme="light">
  <label>表单</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="sourcetype_tok">
      <label>类型</label>
      <fieldForLabel>sourcetype</fieldForLabel>
      <fieldForValue>sourcetype</fieldForValue>
      <search>
        <query>index=_internal 
          | dedup sourcetype</query>
        <earliest>0</earliest>
        <latest></latest>
      </search>
    </input>
    <input type="time" token="time_tok" searchWhenChanged="true">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <chart>
        <search>
          <query>index = _internal sourcetype=$sourcetype_tok$
            | timechart count by sourcetype</query>
          <earliest>0</earliest>
          <latest></latest>
        </search>
        <option name="charting.chart">column</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
    <panel>
      <single>
        <title></title>
        <search>
          <query>index=_internal sourcetype=$sourcetype_tok$
            | stats count as sourcetype</query>
          <earliest>$time_tok.earliest$</earliest>
          <latest>$time_tok.latest$</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </single>
    </panel>
  </row>
  <row>
    <panel>
      <chart>
        <title>Pan and Zoom (All source types)</title>
        <search>
          <query>index=_internal | timechart count by sourcetype</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <selection>
          <set token="selection_earliest">$start$</set>
          <set token="selection_latest">$end$</set>
          <set token="start_splunk_web_access">$start.splunk_web_access$</set>
          <set token="end_splunk_web_access">$end.splunk_web_access$</set>
        </selection>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
    <panel>
      <chart>
        <title>Pan and Zoom (Web access source type)</title>
        <search>
          <query>
            index=_internal sourcetype=splunk_web_access
            |  timechart count by sourcetype
          </query>
          <earliest>$selection_earliest$</earliest>
          <latest>$selection_latest$</latest>
        </search>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <html>
        <h3>Token values for the splunk_web_access selection</h3>        
        <table border="0" cellpadding="12" cellspacing="0">
          <tr>
            <td>
              <p>
                <b>Time range (epoch time)</b>
              </p>
              <p>
                <b>$$selection_earliest$$</b>: $selection_earliest$
                <br/>
                <b>$$selection_latest$$</b>: $selection_latest$</p>
            </td>
            <td>
              <p>
                <b>Count at the begining and end of time range.</b>
              </p>
              <p>
                <b>$$start_splunk_web_access$$</b>: $start_splunk_web_access$
                <br/>
                <b>$$end_splunk_web_access$$</b>: $end_splunk_web_access$</p>
            </td>
          </tr>
        </table>      
      </html>
    </panel>
  </row>
</form>

小涛 - Splunk

Splunk ①

搜索剖析

基础

词汇大小写不敏感

关键字大小写敏感

字符串括起来

字符串括起来

错误

正确

字段判断

字段名大小写敏感

字段存在

字段不存在

字段值不为空

字段值为空

搜索基础

多个关键搜索

A B vs B A

“A B” vs “B A”

A B vs A OR B

通配符匹配

匹配0到多个字符

表达式评估

字段类型

【反直觉】NOT vs !=

!=必须存在

NOT必须存在

特例（判断字段存在）

Search vs. Where

搜索2个字段值相同

宽(-)字符匹配特殊字符

排序

最近发生的前10条错误日志

最早发生的前10条错误日志

字段类型排序

分词

分词符

双引号

主副分词符

主分词符不讲究顺序

副分词符，都可以搜出来

精准副词搜索

搜索时间

绝对时间（左闭右开）

某一秒（03/28/2020:18:20:54）发生的事件

相对时间

相对时间对齐

三周前的工作日的事件

上一个小时的日志

昨天的日志总数

评估函数

计算新字段

传输的KB大小

与统计字段结合使用

统计状态是404错误的日志类型

字段值拼接

依赖

复杂组合计算

Splunk②

子查询

访问最多的客户端的事件

错误访问最多的5个uri的访问趋势

全文匹配

包含访问最多文件名文本的所有事件

嵌套

找出出错最多的客户端IP或URL，获得他们的所有事件

Top20产品的前5个买手的购买时间规律

买的最多的买家，他去对卖的最多的产品的访问日志

买的最多的买家的访问日志（但是排除掉 卖的最多的这个产品）

统计表格

stats

一维多列

统计PV、UV

二维多列

统计各个网站Refere站点的GET/Post数量

带图

购买统计与趋势

timechart

统计每日UV访问趋势

买的最多的买家的访问日志（但是排除掉卖的最多的这个产品）