• Splunk Fundamentals 2 – Lab Exercises

    1、Lab Exercise 2 – Beyond Search Fundamentals

      1.1、搜索:index=web sourcetype=access_combined
    | table clientip action status

    2、Lab Exercise 3 – Commands for Visualizations

      2.1、搜索:index=security sourcetype=linux_secure vendor_action=failed

      2.2、搜索:sourcetype=linux_secure vendor_action=failed
    | chart count over vendor_action by src_ip #创建图表,通过ip展示每一个的动作

      2.3、搜索:index=security sourcetype=linux_secure vendor_action=failed
    | chart count over vendor_action by src_ip useother=f #将other去除掉

      2.4、搜索:index=sales sourcetype=vendor_sales VendorID<4000

      2.5、搜索:index=sales sourcetype=vendor_sales VendorID<4000
    | chart count over VendorCountry

      2.6、搜索:index=sales sourcetype=vendor_sales VendorID<4000
    | chart count over VendorCountry by product_name

      2.7、搜索:index=sales sourcetype=vendor_sales VendorID<4000
    | chart count over VendorCountry by product_name limit=5#选出前5

      2.8、搜索:index=sales sourcetype=vendor_sales VendorID<4000
    | chart count over VendorCountry by product_name limit=5 useother=f #将other去除掉

      2.9、搜索:index=network sourcetype=cisco_wsa_squid
    | timechart count by usage

      2.10、搜索:(index=web sourcetype=access_combined action=purchase status=200)

      2.11、搜索:(index=web sourcetype=access_combined action=purchase status=200) OR (index=sales
    sourcetype=vendor_sales)

      2.12、搜索:(index=web sourcetype=access_combined action=purchase status=200) OR (index=sales
    sourcetype=vendor_sales)
    | timechart span=1h count by sourcetype

      2.13、搜索:(index=web sourcetype=access_combined action=purchase status=200) OR (index=sales
    sourcetype=vendor_sales)
    | timechart span=1h count by sourcetype
    | rename access_combined as webSales, vendor_sales as retailSales

    3、Lab Exercise 4 – Advanced Visualizations

      3.1、搜索:index=security sourcetype=linux_secure fail*

      3.2、搜索:index=security sourcetype=linux_secure fail*
    | timechart span=1d count as failures

      3.2、搜索:index=security sourcetype=linux_secure fail*
    | timechart span=1d count as failures
    | trendline sma2(failures) as trend

      3.3、搜索:index=sales sourcetype=vendor_sales categoryId= "STRATEGY"

      3.4、搜索:index=sales sourcetype=vendor_sales categoryId= "STRATEGY"
    | timechart span=1d count

      3.5、搜索:index=sales sourcetype=vendor_sales VendorID < 3000

      3.6、搜索:index=sales sourcetype=vendor_sales VendorID<3000
    | chart count by VendorStateProvince
    | geom geo_us_states featureIdField=VendorStateProvince

      3.7、搜索:index=web sourcetype=access_combined action=purchase status=200

      3.8、搜索:index=web sourcetype=access_combined action=purchase status=200
    | iplocation clientip

      3.9、搜索:index=web sourcetype=access_combined action=purchase status=200
    | iplocation clientip
    | geostats count by clientip

      3.10、搜索:index=sales sourcetype=vendor_sales
    | stats count as "Units Sold" by VendorCountry

      3.11、搜索:index=sales sourcetype=vendor_sales
    | stats count as "Units Sold" by VendorCountry
    | addtotals col=t row=f labelfield="VendorCountry"

    4、Lab Exercise 5 – Filtering and Formatting Data

      4.1、搜索:index=web sourcetype=access_combined

      4.2、搜索:index=web sourcetype=access_combined
    | timechart sum(bytes) as bytes

      4.3、搜索:sourcetype=access_combined
    | timechart sum(bytes) as bytes
    | eval megabytes=bytes/(1024*1024)

      4.4、搜索:index=web sourcetype=access_combined
    | timechart sum(bytes) as bytes
    | eval megabytes=round(bytes/(1024*1024),2)

      4.5、搜索:index=web sourcetype=access_combined
    | timechart sum(bytes) as bytes
    | eval megabytes=round(bytes/(1024*1024),2)
    | fields - bytes

      4.6、搜索:index=web sourcetype=access_combined

      4.7、搜索:index=web sourcetype=access_combined
    | chart count over host by method

      4.8、搜索:index=web sourcetype=access_combined
    | chart count over host by method
    | eval Ratio=GET/POST

      4.9、搜索:index=web sourcetype=access_combined
    | chart count over host by method
    | eval Ratio=round(GET/POST,2)

      4.10、搜索:index=security sourcetype=linux_secure fail*

      4.11、搜索:index=security sourcetype=linux_secure fail*
    | stats count by user

      4.12、搜索:index=security sourcetype=linux_secure fail*
    | stats count by user
    | search count>3
    | sort -count

      4.13、搜索:index=network sourcetype=cisco_wsa_squid

      4.14、搜索:index=network sourcetype=cisco_wsa_squid
    | stats count by http_content_type

      4.15、搜索:index=network sourcetype=cisco_wsa_squid
    | stats count by http_content_type
    | eval type=if(http_content_type LIKE "image%","graphic","other")

      4.16、搜索:index=network sourcetype=cisco_wsa_squid
    | stats count by http_content_type
    | eval type=if(http_content_type LIKE "image%","graphic","other")
    | stats sum(count) as total by type

      4.17、搜索:(index=web sourcetype=access* action=purchase status=200) OR (index=sales
    sourcetype=vendor_sales)

      4.18、搜索:(index=web sourcetype=access* action=purchase status=200) OR (index=sales
    sourcetype=vendor_sales)
    | chart count(productId) as Count over product_name by sourcetype

      4.19、搜索:(index=web sourcetype=access* action=purchase status=200) OR (index=sales
    sourcetype=vendor_sales)
    | chart count(productId) as Count over product_name by sourcetype
    | where access_combined > vendor_sales*2

      4.20、搜索:(index=web sourcetype=access* action=purchase status=200) OR (index=sales
    sourcetype=vendor_sales)
    | chart count(productId) as Count over product_name by sourcetype
    | search access_combined > vendor_sales*2 #无结果

    5、Lab Exercise 6 – Correlating Events

      5.1、搜索:index=web sourcetype=access_combined

      5.2、搜索:index=web sourcetype=access_combined
    | table _time, clientip, JSESSIONID, action

      5.3、搜索:index=web sourcetype=access_combined action=*
    | table _time, clientip, JSESSIONID, action

      5.4、搜索:index=web sourcetype=access_combined action=*
    | transaction JSESSIONID

      5.5、搜索:index=web sourcetype=access_combined action=*
    | transaction JSESSIONID
    | table JSESSIONID, clientip, action

      5.6、搜索:index=web sourcetype=access_combined action=*
    | transaction JSESSIONID
    | table JSESSIONID, clientip, action
    | search action=purchase

      5.7、搜索:index=web sourcetype=access_combined action=*
    | transaction JSESSIONID
    | table JSESSIONID, clientip, duration, eventcount, action
    | search action=purchase

      5.8、搜索:index=web sourcetype=access_combined action=*
    | transaction JSESSIONID
    | table JSESSIONID, clientip, duration, eventcount, action
    | search action=purchase
    | eval durationMinutes=round(duration/60,1)

      5.9、搜索:index=web sourcetype=access_combined action=*
    | transaction JSESSIONID
    | search action=purchase
    | eval durationMinutes=round(duration/60,1)
    | table JSESSIONID, clientip, action, durationMinutes, eventcount
    | where durationMinutes > 1

      5.10、搜索:index=web sourcetype=access_combined
    | transaction clientip

      5.11、搜索:index=web sourcetype=access_combined
    | transaction clientip startswith=action="addtocart" endswith=action="purchase"

      5.12、搜索:index=web sourcetype=access_combined
    | transaction clientip startswith=action="addtocart" endswith=action="purchase"
    | table clientip, JSESSIONID, product_name, action, duration, eventcount, and price

      5.13、搜索:(index=web sourcetype=access_combined) OR (index=network sourcetype=cisco_wsa_squid) status>399
    | fields sourcetype status

      5.14、搜索:(index=web sourcetype=access_combined) OR (index=network sourcetype=cisco_wsa_squid) status>399
    | fields sourcetype status
    | transaction status maxspan=5m

      5.15、搜索:(index=web sourcetype=access_combined) OR (index=network sourcetype=cisco_wsa_squid) status>399
    | fields sourcetype status
    | transaction status maxspan=5m
    | search sourcetype=access_combined AND sourcetype=cisco_wsa_squid

      5.16、搜索:(index=network sourcetype=cisco_wsa_squid) OR
    (index=web sourcetype=access_combined) status>399
    | fields sourcetype, status
    | transaction status maxspan=5m
    | search sourcetype=access_combined AND sourcetype=cisco_wsa_squid
    | timechart count by status

      5.17、搜索:(index=network sourcetype=cisco_wsa_squid) OR
    (index=web sourcetype=access_combined) status>399
    | fields sourcetype, status
    | transaction status maxspan=5m
    | search sourcetype=access_combined AND sourcetype=cisco_wsa_squid
    | timechart count by status
    | addtotals
    | search Total>4

      5.18、搜索:(index=network sourcetype=cisco_wsa_squid) OR
    (index=web sourcetype=access_combined) status>399
    | fields sourcetype, status
    | transaction status maxspan=5m
    | search sourcetype=access_combined AND sourcetype=cisco_wsa_squid
    | timechart count by status
    | addtotals
    | search Total>4

    6、Lab Exercise 8: Field Extractions

      6.1、Search for all events in the last 24 hours for the linux_secure sourcetype that contain the keyword
    port.                                                         index=security sourcetype=linux_secure port

      6.2、Wait for about 30 seconds, then search for events in the linux_secure sourcetype in the last 24 hours.
    List the top ports by IP address.
    index=security sourcetype=linux_secure | top port by src     

      6.3、Search for all events in the last 30 days for the SimCubeBeta sourcetype in the games index.

    7、Lab Exercise 11: Creating and Using Macros

      7.1、Using the stats command, create a table showing the total retail sales for each product sold in Europe
    (combining sales from Germany, France, and Italy) over the Last 30 days and rename the total sales
    column as USD.
    index=sales sourcetype=vendor_sales VendorCountry=Germany OR VendorCountry=France OR
    VendorCountry=Italy | stats sum(price) as USD by product_name

      7.2、Using the eval command, convert the numeric values in the total sales column to strings and concatenate
    them with a $ sign.

    index=sales sourcetype=vendor_sales VendorCountry=Germany OR VendorCountry=France OR
    VendorCountry=Italy | stats sum(price)  as USD by product_name
    | eval USD="$"+tostring(USD,"commas")

      7.3、Run the following search to determine total sales for each product from vendors in Europe in the last 30
    days:
    sourcetype=vendor_sales VendorCountry=Germany OR VendorCountry=France OR
    VendorCountry=Italy
    | stats sum(price) as USD by product_name
    | eval euro = "€" + tostring(round(USD*0.79,2), "commas"), USD = "$" +
    tostring(USD, "commas")

      7.4、To make things easy for the user, the currency, currency symbol and exchange rate are arguments. Enter
    the following search string (the arguments are encapsulated by the $ signs):
    stats sum(price) as USD by product_name
    | eval $currency$="$symbol$".tostring(round(USD*$rate$,2),"commas"),USD="$" +
    tostring(USD,"commas")

      7.5、Perform a search for sourcetype=vendor_sales where the VendorCountry is Germany, France, or
    Italy. Use the macro and pass the arguments euro, €, and 0.79 for results in the Last 30 days.
    Hint: `convert_sales(currency,symbol,rate)`
    index= sales sourcetype=vendor_sales VendorCountry=Germany OR VendorCountry=France OR
    VendorCountry=Italy | `convert_sales(euro,€,.79)`
  • 相关阅读:
    第5节 两牵引轴同步运动
    第4节 动一个牵引轴
    第3节 电控配置简介
    第2节 控制方案的制定
    第1节 中型PLC基本编程思路
    1200与VM(主动)之间的TCP/IP通讯
    西门子1200和温度计的模拟量应用
    西门子1200的高速计数功能和增量编码器功能
    西门子1200和V90之间(位置模式)的PID应用
    面试题68
  • 原文地址:https://www.cnblogs.com/fumy/p/11727681.html
Copyright © 2020-2023  润新知