Difference between revisions of "Splunk"
Jump to navigation
Jump to search
(Created page with "= Splunk forwarder = Setup splunk-forwarder agent on Linux <source lang=bash> ./splunk set deploy-poll splunk.acme.com:8089 ./splunk show deploy-poll ./splunk enable listen...") |
|||
(2 intermediate revisions by the same user not shown) | |||
Line 2: | Line 2: | ||
Setup splunk-forwarder agent on Linux | Setup splunk-forwarder agent on Linux | ||
<source lang=bash> | <source lang=bash> | ||
./splunk set deploy-poll splunk.acme.com:8089 | cd /opt/splunkforwarder/bin/ | ||
./splunk add forward-server splunk.acme.com:9997 --accept-license --no-prompt -auth admin:changeme | |||
./splunk list forward-server | |||
./splunk set deploy-poll splunk.acme.com:8089 | |||
./splunk show deploy-poll | ./splunk show deploy-poll | ||
./splunk enable listen 9997 | ./splunk enable listen 9997 | ||
Line 10: | Line 13: | ||
./splunk set default-hostname <serverName|hostname> | ./splunk set default-hostname <serverName|hostname> | ||
./splunk show default-hostname | ./splunk show default-hostname | ||
./splunk enable boot-start | ./splunk enable boot-start | ||
</source> | |||
= Splunk search = | |||
Parse and visualize IIS access logs | |||
<source lang=bash> | |||
# Example regex to process standard IIS logs would look like, saved on "Extract Fields" page | |||
^(?:[^:\n]*:){2}\d+\s+(?P<server_ip>\d+\.\d+\.\d+\.\d+)\s+(?P<request_type>[^ ]+)\s+(?P<path>[^ ]+)(?:[^ \n]* ){2}(?P<port>\d+)\s+\-\s+(?P<source_ip>[^ ]+)(?:[^ \n]* ){3}(?P<response_code>\d+)\s+(\d+\s+)+(?P<response_time>.+) | |||
# Show response times greater than 2 seconds duration | |||
index="iis_access_logs" host="frontend-app-*-test"| where ResponseTime >2000 | timechart span=1m count | |||
# | timechart function allows to visualise the results | |||
# Count Response Codes | |||
index="iis_access_logs" host="frontend-app-*-test"| timechart span=10m count by ResponseCode limit=10 | |||
index="iis_access_logs" host="frontend-app-*-test"| timechart span=10m count by server_ip limit=10 | |||
# | fields ResponseCode, server_ip can be previewed on Extract Fields page | |||
# Maximum and average response times | |||
index="iis_access_logs" host="frontend-app-*-test"| bucket span=10s _time | streamstats time_window=60s avg(ResponseTime) | chart max(ResponseTime) avg(ResponseTime) over _time | |||
</source> | </source> |
Latest revision as of 17:56, 15 July 2021
Splunk forwarder
Setup splunk-forwarder agent on Linux
cd /opt/splunkforwarder/bin/ ./splunk add forward-server splunk.acme.com:9997 --accept-license --no-prompt -auth admin:changeme ./splunk list forward-server ./splunk set deploy-poll splunk.acme.com:8089 ./splunk show deploy-poll ./splunk enable listen 9997 ./splunk display listen ./splunk set servername <serverName|hostname> ./splunk show servername ./splunk set default-hostname <serverName|hostname> ./splunk show default-hostname ./splunk enable boot-start
Splunk search
Parse and visualize IIS access logs
# Example regex to process standard IIS logs would look like, saved on "Extract Fields" page ^(?:[^:\n]*:){2}\d+\s+(?P<server_ip>\d+\.\d+\.\d+\.\d+)\s+(?P<request_type>[^ ]+)\s+(?P<path>[^ ]+)(?:[^ \n]* ){2}(?P<port>\d+)\s+\-\s+(?P<source_ip>[^ ]+)(?:[^ \n]* ){3}(?P<response_code>\d+)\s+(\d+\s+)+(?P<response_time>.+) # Show response times greater than 2 seconds duration index="iis_access_logs" host="frontend-app-*-test"| where ResponseTime >2000 | timechart span=1m count # | timechart function allows to visualise the results # Count Response Codes index="iis_access_logs" host="frontend-app-*-test"| timechart span=10m count by ResponseCode limit=10 index="iis_access_logs" host="frontend-app-*-test"| timechart span=10m count by server_ip limit=10 # | fields ResponseCode, server_ip can be previewed on Extract Fields page # Maximum and average response times index="iis_access_logs" host="frontend-app-*-test"| bucket span=10s _time | streamstats time_window=60s avg(ResponseTime) | chart max(ResponseTime) avg(ResponseTime) over _time