Splunk Fundamentals 1 Lab Exercises

换工作到新公司了，上级安排的第一个任务就是到splunk官网看视频学习，以下是一些记录笔记。

splunk官网登录url：https://www.splunk.com/page/sign_up

1、lab3

　　1.1、直接到官网下载好安装包后，放到/opt 目录下，解压缩。

　　1.2、启动splunk：切换到splunk的bin目录下，然后sudo ./splunk start –-accept-license启动。

2、lab4 -ingesting data

　　2.1、下载文件：http://splk.it/f1data

　　2.2、依次上传acc、db_audit、linux三个文件

3、lab5 -searching

　　3.1、搜索：error OR fail*

　　3.2、搜索：fail* AND password"port 22"

　　3.2、更改"JOB"menu，将读写权限改为everyone，时间改为7days

4、lab6 -using field in searches

　　4.1、搜索：index=main sourcetype=access_combined_wcookie action=purchase 所有时间

5、lab8 -Basic commands

　　5.1、搜索：host= web_application action=purchase status=200

　　5.2、搜索：host=web_application action=purchase status=200 file=success.do

　　5.3、搜索：host=web_application action=purchase status=200 file=success.do
|fields action,JSESSIONID,status

　　5.4、搜索：host=web_application action=purchase status=200 file=success.do
|table JSESSIONID,action,status

　　5.5、搜索：host=web_application action=purchase status=200 file=success.do
| table JSESSIONID,action,status
|rename JSESSIONID AS "user sessions"

　　5.6、搜索：host=web_application action=purchase status=200 file=success.do
| table JSESSIONID,action,status
| rename JSESSIONID AS "user sessions"
|sort "user sessions"

　　5.7、搜索：host=web_application action=purchase status=200 file=success.do
| table JSESSIONID action status
| rename JSESSIONID AS "user sessions"
|dedup "user sessions"

　　5.8、搜索：host=web_application action=purchase status=200 file=success.do
| table JSESSIONID
| rename JSESSIONID AS "user sessions"
|dedup "user sessions"

　　5.9、搜索：index=main sourcetype=access_combined_wcookie action=purchase status=200

　　5.11、搜索：index=main sourcetype=access_combined_wcookie action=purchase status=200 file=success.do

　　5.12、搜索：index=main sourcetype=access_combined_wcookie action=purchase status=200 file=success.do
|fields action JSESSIONID status

　　5.13、搜索：index=main sourcetype=access_combined_wcookie action=purchase status=200 file=success.do
|table action JSESSIONID status

　　5.14、搜索：index=main
sourcetype=access_combined_wcookie action=purchase status=200 file=success.do | table JSESSIONID,
action, status

　　5.13、搜索：index=main sourcetype=access_combined_wcookie action=purchase
status=200 file=success.do | table JSESSIONID, action, status | rename JSESSIONID as UserSessions

　　5.14、搜素：index=main sourcetype=access_combined_wcookie
action=purchase status=200 file=success.do | table JSESSIONID, action, status | rename JSESSIONID as
UserSessions | sort UserSessions

　　5.15、搜索：index=main
sourcetype=access_combined_wcookie action=purchase status=200 file=success.do | dedup
JSESSIONID | table JSESSIONID, action, status | rename JSESSIONID as UserSessions

　　5.16、搜索：index=main
sourcetype=access_combined_wcookie action=purchase status=200 file=success.do | dedup
JSESSIONID | table JSESSIONID | rename JSESSIONID as UserSessions

6、lab9 -Transforming Commands

　　6.1、搜索：index=main sourcetype=access_combined_wcookie file=success.do

　　6.2、

Splunk Fundamentals 1 Lab Exercises

原文：https://www.cnblogs.com/fumy/p/11686612.html