AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
Splunk stats avg7/30/2023 ![]() Kubernetes rollout history and rollback.Splunk _internal call /services/authentication/users/john.smith -method DELETE Splunk _internal call /services/authentication/users -get:search john.smith ![]() To list splunk _internal call /services/authentication/roles -get:search indexes_edit Splunk _internal call /authentication/providers/services/_reload -auth admin:changeme To reload authentication config from command line: # At least for Splunk 6.x ![]() Splunk _internal call /servicesNS/nobody/search/data/inputs/tcp/raw/7092 -post:sourcetype bar -post:index bardata Splunk _internal call /data/inputs/tcp/raw -get:search sourcetype=foo Inputs splunk _internal call /data/inputs/tcp/raw To check configuration syntax $SPLUNK_HOME/bin/splunk btool check To list effective configuration $SPLUNK_HOME/bin/splunk btool inputs list The same can be achieved non-persistent and on-the-fly in the “System Permanently edit /opt/splunk/etc/log.cfg and change the trace level from You can enable traces per trace topic listed in splunkd.log. Load base URL with appended /debug/refresh Index=_internal metrics kb series!=_* "group=per_index_thruput" monthsago=1 | eval indexed_mb = kb / 1024 | timechart fixedrange=t span=1d sum(indexed_mb) by series | rename sum(indexed_mb) as totalmb MB per day per indexer / index index=_internal metrics kb series!=_* "group=per_host_thruput" monthsago=1 | eval indexed_mb = kb / 1024 | timechart fixedrange=t span=1d sum(indexed_mb) by series | rename sum(indexed_mb) as totalmb To query write amount of per index the metrics.log can be used: index=_internal source=*metrics.log group=per_index_thruput series=* | eval MB = round(kb/1024,2) | timechart sum(MB) as MB by series On the command line you can call $SPLUNK_HOME/bin/splunk list index | REST /services/data/indexes | table title splunk_server currentDBSizeMB frozenTimePeriodInSecs maxTime minTime totalEventCount | REST /services/data/indexes | table title | eventcount summarize=false report_size=true index=* | eval size_MB = round(size_bytes/1024/1024,2) List All Indices | eventcount summarize=false index=* | dedup index | fields index | table _time,, name | timechart span=1d sum() by name | sendemail a timechart from a single field that should be summed up. Source="/var/log/nginx/access.log" | head 1000 | top 50 methodīy appending “sendemail” to any query you get the result by mail!. Source="/var/log/nginx/access.log" | head 1000 | top 50 uri Source="/var/log/nginx/access.log" | head 1000 | top 50 referer Source="/var/log/nginx/access.log" | head 1000 | top 50 clientip Source="/var/log/nginx/access.log" status=404 | sort - uri Source="/var/log/nginx/access.log" HTTP (200 or 30*) Like: source="/var/log/nginx/access.log" HTTP 500 Splunk usually auto-detects access.log fields so you can do queries The p10()Īnd p90() functions are returning the 10 and 90 percentiles: | eval raw_len=len(_raw) | stats avg(raw_len), p10(raw_len), p90(raw_len) by sourcetype | stats sum() as result | eval result=(result/1000)ĭetermine the size of log events by checking len() of _raw. ![]() Makes sense once you want to filter for a specific field. To source="some.log" | regex _raw=".*Fatal.*"Īnd get the same result. Actually you can rephrase source="some.log" Fatal Should have an entry “FIELDNAME” listing you the top 10 fatal messagesįrom “some.log” What is the difference to “regex” now? Well “regex” is When running above query check the list of “interesting fields” it now This is why you need to specifiyĪ named extraction group in Perl like manner “(?…)” for example source="some.log" Fatal | rex "(?i) msg=(?P+)" Two important filters are “rex” and “regex”. Give me all fatal errors from syslog of the blog hostĪccess a specific index and text matching ‘password’ Host="myblog" source="/var/log/syslog" Fatal Source="/var/log/apache/access.log" status=500Īll lines where the field “status” has value 500 from the file /var/log/apache/access.log Note that there are literals withĪnd without quoting and that there are data field as well as date source selections Simple searches look like the following examples. Splunk SPL Syntax Basic Searching Concepts
0 Comments
Read More
Leave a Reply. |