Splunk 管理者マニュアル バージョン:4.0 · Splunk アーキテクチャとインストール内容 Splunkアーキテクチャとインストール内容 プロセス
管理マニュアル Splunk Enterprise...
Transcript of 管理マニュアル Splunk Enterprise...
-
Splunk Splunk Enterprise 7.0.0 Enterprise 7.0.0
2017/09/15 429
Copyright (c) 2017 Splunk Inc. All Rights Reserved
-
5555789
1011
13131314151616
181818181920
22222222232429303032343737
3939
3940424748
5050505254545859616172
Table of Content sTable of Content sSplunk Enterpr ise Splunk Enterpr ise
Splunk Splunk Windows Splunk Free *nix Windows Splunk Splunk
Windows Splunk Enterpr ise Windows Splunk Enterpr ise Windows Splunk Splunk Splunk Splunk
Splunk Web Splunk Enterpr ise Splunk Web Splunk Enterpr ise Splunk Web Splunk Web Splunk Enterprise Splunk Web
Splunk Enterpr ise Splunk Enterpr ise props.conf Splunk Enterprise Splunk
(CLI) Splunk (CLI) SplunkEnterpr ise Enterpr ise
CLI CLI CLI CLI Splunk Enterprise CLI
Splunk Enterpr ise Splunk Enterpr ise Splunk Enterprise Splunk Splunk IP Splunk IPv6
-
7474747476787879798181
8484848485
87878789
909090919293
96969696979898
100101102
104104104104105
107107107107109110
110
112112112
113113113121126
Splunk Splunk Splunk Enterprise Splunk CLI
Splunk Splunk
Splunk Enterprise
App App App KV KV KV
Splunk Apps Splunk Apps App AppApp Splunk Web App App App App App
Splunk Enterpr ise Splunk Enterpr ise Splunkd Proxy Splunkd HTTP splunkd HTTP Splunkd HTTP Splunk Web
Splunk AMI Splunk AMI Splunk Enterprise AMI
alert_actions.confapp.confaudit.conf
-
127144154155157162165166167168168172179180181183185216256257305306307310313326327328350351357372374376426434435438439440442443445448450462464467469470471474491496
authentication.confauthorize.confchecklist.confcollections.confcommands.confdatamodels.confdatatypesbnf.confdefault.meta.confdefault-mode.confdeployment.confdeploymentclient.confdistsearch.confeventdiscoverer.confevent_renderers.confeventtypes.conffields.confindexes.confinputs.confinstance.cfg.conflimits.confliterals.confmacros.confmessages.confmultikv.confoutputs.confpasswords.confprocmon-filters.confprops.confpubsub.confrestmap.confsavedsearches.confsearchbnf.confsegmenters.confserver.confserverclass.confserverclass.seed.xml.confsetup.xml.confsource-classifier.confsourcetypes.confsplunk-launch.conftags.conftelemetry.conftimes.conftransactiontypes.conftransforms.confui-prefs.confui-tour.confuser-prefs.confuser-seed.confviewstates.confvisualizations.confweb.confwmi.confworkflow_actions.conf
-
Splunk Enterprise Splunk Enterprise
Splunk Windows *nix
Windows *nix OS
/Splunk
Splunk Splunk
Splunk Splunk
Splunk Splunk IP Splunk
Splunk Web Splunk Web Splunk Splunk
Splunk Web Splunk Splunk Web
Splunk Splunk
/
Splunk Splunk (CLI) (CLI) Splunk Splunk
Splunk CLI
Windows Windows Splunk Splunk
Splunk Windows Windows
Splunk Splunk
Splunk Splunk
Splunk Apps Splunk Apps Splunk Apps Splunk Splunk Apps
Splunk Enterprise
Splunk Splunk
Splunk Splunk ()
Splunk Enterpr ise Splunk Enterpr ise
Installation ManualSplunk Enterprise
5
-
Splunk Windows Splunk Enterprise UnixLinux MacOS SplunkEnterprise
Splunk Enterprise
Splunk
Windows Windows
Splunk Splunk
Splunk
Splunk
Splunk
6
-
Splunk
Splunk Enterpr ise Splunk Enterpr ise
Splunk Splunk Enterprise
SSL
Splunk
Splunk (SSO)
Splunk LDAP LDAP
Splunk Splunk
Splunk
Splunk
Splunk Splunk
Splunk Splunk
Splunk Splunk
REST API REST API
CLI Splunk Enterprise CLI
Splunk
Splunk Splunk
Splunk Enterprise 1 Splunk Enterprise
Splunk Enterprise Splunk Splunk Enterprise
Splunk
Splunk Splunk
Splunk
7
-
Splunk Splunk
Splunk
Splunk Splunk
Splunk
Splunk Splunk
SSL SSL
SplunkSplunkEnterprise Enterprise
Splunk Enterprise
Splunk Splunk
Splunk
Splunk
Splunk Splunk
Splunk Enterprise Splunk Enterprise
: Splunk Splunk Splunk Splunk : Splunk Splunk Splunk Web App Splunk Web App : XML App Splunk REST API REST API REST API
Splunk Splunk
Splunk EnterpriseSplunk EnterpriseSplunk Enterprise
App Splunk Splunk Splunk
P DF P DF
PDF [Download the AdminDownload the AdminManual as PDFManual as PDF ] PDF
Windows Windows
Splunk Windows Windows Windows App
(Windows ) (Windows )
8
-
Splunk
Windows *nix Windows *nix Windows *nix Splunk
Windows Splunk Windows Splunk
Windows Splunk Windows Splunk Windows Splunk
Splunk Splunk Windows Splunk
Splunk Splunk Splunk Windows Splunk Splunk
Splunk Windows
Windows Splunk ()Splunk () Windows () ()
()Splunk (CLI) () () () () () ()
Splunk
Splunk
Splunk Splunk WikiSplunk IRC (EFNet #splunk)(IRC )
Splunk
Enterprise
Splunk Free Splunk Free
Splunk Free Splunk 500 MB/
500 MB 1 () 1 500 MB 10 TB Splunk Enterprise
500 MB/Enterprise Splunk
Splunk Free 30 500 MB/ 4Splunk Free 30 3
Splunk F ree Splunk F ree
Splunk Free IT (500 MB/) Splunk Free Splunk Free 30 3
Splunk F ree Splunk F ree
Splunk Free Splunk Enterprise
9
-
() TCP/HTTP Splunk Splunk () Splunk Free (Splunk Enterprise ) Splunk Free /
Splunk Free / 1 index=*Splunk Free
Enterpr ise F ree Enterpr ise F ree
Splunk Enterprise Enterprise Free
Free Free
Splunk Enterprise trial Splunk Free
() Splunk Free
Splunk Web App App
Splunk Splunk outputs.conf TCP HTTP
Enterprise Splunk Web Splunk Free
Splunk F ree Splunk F ree
Splunk Enterprise Free Free
1.1. Splunk Web [] > [][] > []
2.2. [][]
3.3.[Free ][Free ] [][]
4.4.
* nix Windows Splunk * nix Windows Splunk
*nix Windows Splunk OS OS Splunk
10
-
*nix *nix (/) Windows (\)
*nix
/opt/splunk/bin/splunkd
Windows
C:\Program Files\Splunk\bin\splunkd.exe
1 *nix ($)
# SPLUNK_HOME=/opt/splunk; export $SPLUNK_HOME
Windows (%) 1 2
> set SPLUNK_HOME="C:\Program Files\Splunk"
> echo %SPLUNK_HOME%
C:\Program Files\Splunk
>
Windows %SPLUNK_HOME% 2
%SPLUNK_HOME%\etc splunk-launch.conf
[] [] [] [] [] []
Splunk Enterprise ASCII/UTF-8 Windows UTF-8 Windows
Splunk Splunk
Splunk Splunk
Splunk Web Splunk (CLI) Splunk Splunk REST API App
Splunk Web Splunk Web
Splunk Web Splunk Web 8000
Splunk Splunk Web URL http://localhost:8000Splunk Splunk Web URL http://:8000 Splunk
Splunk Web [][] Splunk Splunk Web Splunk Web Splunk Web
Splunk .conf /etc/system Splunk ( $SPLUNK_HOME )
11
-
Splunk CLI Splunk CLI
CLI CLI Splunk help CLI
./splunk help
CLI CLI CLI Windows *nix Windows Splunk
App App
App App App App
Splunk REST API App
[Splunk ] Splunk Apps
Splunk / Splunk
Splunk
12
-
Windows Splunk Enterprise Windows Splunk Enterprise Windows Splunk Windows Splunk
Windows Splunk Windows Splunk
Windows Splunk Splunk Splunk
Windows Splunk (System Center Tivoli/BigFix ) Splunk Splunk Splunk Splunk App
Windows Splunk
Splunk WMI (Windows Management Instrumentation)
Windows Splunk
Splunk Splunk / Splunk Splunk ()
Splunk Splunk Splunk
Splunk Splunk ()
LAN/WAN Splunk
Active Directory (AD) Active Directory (AD) (DC) AD (ISTG) Windows Server 2008 R2 (RODC) Splunk Active Directory
Splunk (Microsoft ExchangeSQL ServerActive Directory ) Splunk Splunk SplunkEnterprise
13
-
Splunk Splunk
Windows Splunk Windows Splunk
Splunk Splunk Splunk
Splunk
Splunk LAN (VLAN)
Active Directory Active Directory Active Directory Splunk
RODC DC AD DC ISTG 2 () DNS
Active Directory Flexible Single Master Operation (FSMO)
Splunk Splunk Windows Splunk
1 Splunk Splunk Splunk Enterprise Active Directory SplunkWMI Windows Server 2008/2008 R2 Core Splunk Splunk Web GUI WAN SplunkSplunk
Splunk Splunk
Windows Splunk Windows Splunk
Splunk
1 Splunk 1 Splunk Splunk 1 Splunk / Splunk Splunk
Splunk Splunk Splunk Splunk 10,000 RPM Splunk RAID 1+0 (RAID 10) Windows RAID
Splunk Splunk
14
-
( Splunk )Splunk Splunk
Splunk I/O
OS OS WindowsOS (%WINDIR%) Splunk Splunk
Splunk /Splunk
Splunk /Splunk /Splunk // (DFS) (NFS)
Splunk Splunk Splunk 20% Splunk 5000 ( 5 )
Splunk Splunk
Splunk Windows
Splunk Windows Windows Splunk Splunk OS Splunk Splunk Splunk Splunk Enterprise Windows Splunk
Windows Windows
Splunk Windows Splunk Windows Splunk
Windows Splunk Splunk Splunk () Windows
Splunk
Windows
Splunk Windows
Windows Splunk Splunk Splunk Web
Splunk
Splunk /
Splunk
15
-
() () Splunk Splunk RAM CPU Splunk Splunk WMI Splunk Splunk /Office Active Directory
Splunk Splunk
Splunk /
Splunk
Splunk Windows Splunk Enterprise Splunk Enterprise
1. Windows Windows
2. Splunk /
3. LAUNCHSPLUNK=0
4.
5. PowerShell 6. 7. bin 8. ./splunk clone-prep-clear-config 9. PowerShell
10. splunkd []
11. Windows (WSIM) Microsoft (SID) (Ghost Walker NTSID ) SYSPREP WSIM
12.
Splunk Splunk
Splunk Windows Splunk Splunk
Splunk
1.1. Windows Windows
2.2.Splunk /
3.3.Splunk
GUI
4.4.Splunk
16
-
5.5. %SPLUNK_HOME%\bin .\splunk stop Splunk .\splunk stop
6.6..\splunk clean eventdata
7.7.
8.8. [] splunkd splunkweb []
9.9.SYSPREP (Windows XP Windows Server 2003/2003 R2 )Windows (WSIM) (Windows VistaWindows 7 Windows Server 2008/2008 R2 )
Microsoft (SID) (Ghost Walker NTSID ) SYSPREP WSIM
10.10.
17
-
Splunk Web Splunk Enterprise Splunk Web Splunk Enterprise Splunk Web Splunk Web
Splunk Splunk WebSplunk Web Splunk Web
Splunk Web Splunk Web Splunk
Splunk Web
http://mysplunkhost:
host port
Enterprise Splunk - - adminadmin - - changemechangeme
Splunk
Splunk 4.1.4 $SPLUNK_HOME/etc/local/server.conf allowRemoteLogin Always Splunk Free SplunkEnterprise (requireSetPassword )
Splunk Web Splunk Web
Splunk WebSplunk Web Splunk Splunk Web
() LDAP Splunk
OS
[Splunk ] [Splunk ]
Splunk Web Splunk [][]
[] > [][] > []
[][][] [][] [][][][][][] App
[] > [] > [][] > [] > []
LDAP
Splunk
App App
18
-
AppApp [App][App]
App App
[ App ][ App ] App [App ][App ] App
[] App
App Splunk Web App
[] > [][] > []
[][] Splunk Splunk Web Splunk [][]Splunk [][]Splunk
Splunk Enterpr ise Splunk Enterpr ise
Splunk Enterprise
[] > [][] > []
Splunk Enterprise
- Splunk
- splunkd Splunk Web
-
App
[] App
Splunk App *nix Windows App App (*nix Windows App osos )Splunk
19
-
App Splunk
Splunk Web Splunk Web
Splunk Web 2
Splunk Enterprise
Splunk Web
1. [] > [][] > [] 2. [][] [][]
3. 4. [] [][]
Splunk Enterpr ise Splunk Enterpr ise
Splunk Web
admin_all_objects admin_all_objects
messages.conf messages.conf
messages.conf messages.conf messages.conf messages.conf
$SPLUNK_HOME/etc/system/default/messages.conf *nix %SPLUNK_HOME%\etc\system\default\messages.conf Windows
messages.conf artifacts in the dispatch directoryartifacts
[DISPATCHCOMM:TOO_MANY_JOB_DIRS__LU_LU]
message = The number of search artifacts in the dispatch directory is higher than recommended (count=%lu,
warning threshold=%lu) and could have an impact on search performance.
action = Remove excess search artifacts using the "splunk clean-dispatch" CLI command, and review artifact
retention policies in limits.conf and savedsearches.conf. You can also raise this warning threshold in limits.conf /
dispatch_dir_warning_size.
severity = warn
capabilities = admin_all_objects
help = message.dispatch.artifacts
DISPATCHCOMM:TOO_MANY_JOB_DIRS__LU_LU
20
-
messages.conf messages.conf
messages.conf App App
messages.conf capabilities
[DISPATCHCOMM:TOO_MANY_JOB_DIRS__LU_LU]
capabilities = admin_all_objects, can_delete
Splunk Enterprise
messages.conf.spec
messages.conf roles
[DISPATCHCOMM:TOO_MANY_JOB_DIRS__LU_LU]
roles = admin
Splunk Enterprise
21
-
Splunk Enterprise Splunk Enterprise
Splunk Enterprise .conf
$SPLUNK_HOME/etc/system/default/ Splunk
Splunk Web Splunk Web
Splunk Web Splunk () $SPLUNK_HOME/etc/... $SPLUNK_HOME/etc/system/local
Splunk Web
1.
2. indexes.conf $SPLUNK_HOME/etc/system/local
3.indexes.conf
4. $SPLUNK_HOME/etc/system/default
Splunk Web CLI Splunk Web
Splunk Web Splunk Enterprise
default Default default Default
.spec .example $SPLUNK_HOME/etc/system/README
Splunk Enterprise
Splunk defaultlocal app Splunk App
Splunk
22
-
.spec .spec .example $SPLUNK_HOME/etc/system/README
/default - /default
-- duckfez2010
default default $SPLUNK_HOME/etc/system/default
default Default Splunk Enterprise default $SPLUNK_HOME/etc/system/local $SPLUNK_HOME/etc/apps//local
default default default
default Splunk Enterprise
$SPLUNK_HOME/etc/system/local
$SPLUNK_HOME/etc/system/local $SPLUNK_HOME/etc
$SPLUNK_HOME/etc/system/local
App
$SPLUNK_HOME/etc/slave-apps/[_cluster|]/[local|default]
$SPLUNK_HOME/etc/slave-apps _cluster App indexes.conf
$SPLUNK_HOME/etc/apps//[local|default]
App App /local Splunk App $SPLUNK_HOME/etc/apps/search/local/ App App /local ()
$SPLUNK_HOME/etc/users
$SPLUNK_HOME/etc/system/README
.spec .example 2 (inputs.conf.spec inputs.conf.example).spec .example
1
23
-
inputs.conf [SSL] ()
[SSL]
serverCert =
password =
[stanza1_header]
=
# comment
=
...
[stanza2_header]
=
=
...
sourcetype = my_app SOURCETYPE = my_app
outputs.conf
[tcpout]
indexAndForward=true
compressed=true
[tcpout:my_indexersA]
compressed=false
server=mysplunk_indexer1:9997, mysplunk_indexer2:9997
[tcpout:my_indexersB]
server=mysplunk_indexer3:9997, mysplunk_indexer4:9997
2
TCP [tcpout]2 [tcpout:]
[tcpout:my_indexersA] compressed [tcpout] my_indexersA
outputs.conf outputs.conf
Splunk Splunk AppApp
Splunk
Splunk
24
-
()
App App AB
props.conf props.conf
App App
2
App App App App
App App
indexes.conf
Splunk Splunk
(App/)
1.1. local -- 2.2.App local 3.3.App default 4.4. default --
inputs.conf Splunk system/local app system/local system app system/default
(slave-app) App
1.1. App local ()() -- 2.2. local 3.3.App local 4.4. App default ()()5.5.App default 6.6. default --
( App local )
25
-
App App
App/ userappsystem
1.1. user -- 2.2. App app (local default)3.3. App app (local default) -- 4.4.system (local default) --
savedsearches.conf userapp system 3 Splunk app system user ()
App App
App AB App App (AZZa)
$SPLUNK_HOME/etc/apps/myapp1
$SPLUNK_HOME/etc/apps/myapp10
$SPLUNK_HOME/etc/apps/myapp2
$SPLUNK_HOME/etc/apps/myapp20
...
$SPLUNK_HOME/etc/apps/myappApple
$SPLUNK_HOME/etc/apps/myappBanana
$SPLUNK_HOME/etc/apps/myappZabaglione
...
$SPLUNK_HOME/etc/apps/myappapple
$SPLUNK_HOME/etc/apps/myappbanana
$SPLUNK_HOME/etc/apps/myappzabaglione
...
Splunk UTF-8 ASCII
10, 9, 70, 100 10, 100, 70, 9
App/App/ App App App
$SPLUNK_HOME/etc/system/local/*
$SPLUNK_HOME/etc/apps/A/local/* ... $SPLUNK_HOME/etc/apps/z/local/*
$SPLUNK_HOME/etc/apps/A/default/* ... $SPLUNK_HOME/etc/apps/z/default/*
$SPLUNK_HOME/etc/system/default/*
- -
$SPLUNK_HOME/etc/slave-apps/A/local/* ... $SPLUNK_HOME/etc/slave-apps/z/local/*
26
-
$SPLUNK_HOME/etc/system/local/*
$SPLUNK_HOME/etc/apps/A/local/* ... $SPLUNK_HOME/etc/apps/z/local/*
$SPLUNK_HOME/etc/slave-apps/A/default/* ... $SPLUNK_HOME/etc/slave-apps/z/default/*
$SPLUNK_HOME/etc/apps/A/default/* ... $SPLUNK_HOME/etc/apps/z/default/*
$SPLUNK_HOME/etc/system/default/*
slave-apps/[local|default] _cluster App (anApp) App (AnApp) ("_")
App/App/
$SPLUNK_HOME/etc/users/*
$SPLUNK_HOME/etc/apps/Current_running_app/local/*
$SPLUNK_HOME/etc/apps/Current_running_app/default/*
$SPLUNK_HOME/etc/apps/A/local/*, $SPLUNK_HOME/etc/apps/A/default/*, ... $SPLUNK_HOME/etc/apps/z/local/*,
$SPLUNK_HOME/etc/apps/z/default/* (but see note below)
$SPLUNK_HOME/etc/system/local/*
$SPLUNK_HOME/etc/system/default/*
App/ App App App local default App C Splunk $SPLUNK_HOME/etc/apps/C/local/* $SPLUNK_HOME/etc/apps/C/default/* App local default App App default.meta Splunk Apps
/etc/users/
props.conf props.conf Splunk App/Splunk props.conf () (App/)
$SPLUNK_HOME/etc/system/local/props.conf
[source::/opt/Locke/Logs/error*]
sourcetype = fatal-error
$SPLUNK_HOME/etc/apps/t2rss/local/props.conf
[source::/opt/Locke/Logs/error*]
sourcetype = t2rss-error
SHOULD_LINEMERGE = True
BREAK_ONLY_BEFORE_DATE = True
t2rss sourcetype /system/local sourcetype fatal-error/apps/t2rss/local t2rss-error
sourcetype Splunk system/local sourcetype fatal-error
[source::/opt/Locke/Logs/error*]
sourcetype = fatal-error
27
-
SHOULD_LINEMERGE = True
BREAK_ONLY_BEFORE_DATE = True
Splunk ( App/) App/
props.conf transforms.conf Splunk App/
admon.conf
authentication.conf
authorize.conf
crawl.conf
deploymentclient.conf
distsearch.conf
indexes.conf
inputs.conf
outputs.conf
pdf_server.conf
procmonfilters.conf
props.conf -- global and app/user context
pubsub.conf
regmonfilters.conf
report_server.conf
restmap.conf
searchbnf.conf
segmenters.conf
server.conf
serverclass.conf
serverclass.seed.xml.conf
source-classifier.conf
sourcetypes.conf
sysmon.conf
tenants.conf
transforms.conf -- global and app/user context
user-seed.conf -- special case: Must be located in /system/default
web.conf
wmi.conf
App/App/
alert_actions.conf
app.conf
audit.conf
commands.conf
eventdiscoverer.conf
event_renderers.conf
eventtypes.conf
fields.conf
limits.conf
literals.conf
macros.conf
multikv.conf
props.conf -- global and app/user context
savedsearches.conf
tags.conf
times.conf
transactiontypes.conf
transforms.conf -- global and app/user context
user-prefs.conf
workflow_actions.conf
Splunk Splunk
28
-
btool
props.conf props.conf
props.conf
ASCII props.conf
[source::.../bar/baz]
attr = val1
[source::.../bar/*]
attr = val2
ASCII 2 attr
props.conf props.conf
props.conf ASCII priority /
source::az
[source::...a...]
sourcetype = a
[source::...z...]
sourcetype = z
source::...a...source::...z...sourcetype a
ASCII priority
[source::...a...]
sourcetype = a
priority = 5
[source::...z...]
sourcetype = z
priority = 10
2 sourcetype z
() () priority
0 100
priority
priority sourcetype host priority spec source priority host sourcetype
props.conf () 1 (hostsourcesourcetype)
29
-
sourcetype
props.conf sourcetype = xml_file mylogfile.xml source
[source::/var/log/mylogfile.xml]
CHECK_METHOD = endpoint_md5
local app
1. local app $SPLUNK_HOME/etc/system/local
2. Splunk
3.
forwardedindex.0.whitelist =
#
# This stanza forwards some log files.
[monitor:///var/log]
[monitor:///var/log] # This is a really bad place to put your comment.
a_setting = 5 #5 is the best number
a_setting 5 #5 is the best number
Windows UTF -8 Windows UTF -8
Splunk ASCII/UTF-8 Windows UTF-8
Splunk Enterpr ise Splunk Enterpr ise 30
-
Splunk Enterprise Splunk Enterprise
Splunk Web Splunk Web Splunk (splunkd)
App
splunkweb splunkweb
Splunk Web SSL splunkweb
splunkd splunkd
splunkd
Splunk Web CLI
App
LDAP (Splunk Web )Splunk Enterprise
Web () ()indexes.conf Splunk Enterprise OS (Splunk Enterprise OS )App App
Splunk Enterpr ise Splunk Enterpr ise
macros.conf
props.conf
transforms.conf
31
-
savedsearches.conf ()
http://:8000/en-GB/debug/refresh
props transforms
props.conf transforms.conf props.conf transforms.conf props.conf transforms.conf .conf
transforms.conf
http://:8000/en-us/debug/refresh?entity=admin/transforms-lookup
for new lookup file definitions that reside within transforms.conf
http://:8000/en-us/debug/refresh?entity=admin/transforms-extract
for new field transforms/extractions that reside within transforms.conf
authentication.conf Splunk Web > > > >
1
Splunk Enterprise ()
props.conf search.conf search.conf search.conf
1.props.conf transforms.conf Splunk props.conf transforms.conf
2.( App )
3.
savedsearches.conf REST REST
spec example spec example
$SPLUNK_HOME/etc/system/default/
32
-
alert_actions.conf
app.conf App
audit.conf /
authentication.conf Splunk LDAP LDAP
authorize.conf
checklist.conf
collections.conf KV
commands.conf
datamodels.conf /
default.meta.conf Splunk Apps
deploymentclient.conf
distsearch.conf
event_renderers.conf
eventtypes.conf
fields.conf
indexes.conf
inputs.conf
instance.cfg.conf Splunk
limits.conf ()
literals.conf Splunk Web
macros.conf []
multikv.conf (psnetstatls)
outputs.conf
passwords.conf App
procmon-filters.conf Windows
props.conf
pubsub.conf
restmap.conf REST
savedsearches.conf
searchbnf.conf
segmenters.conf
server.conf Splunk (splunkd Splunk Web ) SSL
serverclass.conf
serverclass.seed.xml.conf
source-classifier.conf ()
sourcetypes.conf
tags.conf
telemetry.conf App
times.conf App
33
-
transactiontypes.conf
transforms.conf props.conf
ui-prefs.conf UI
user-seed.conf
visualizations.conf App
viewstates.conf UI ()
web.conf Splunk Web HTTPS
wmi.conf Windows Management Instrumentation (WMI)
workflow_actions.conf
raw 4
Splunk
34
-
Splunk
Splunk Enterpr ise Splunk Enterpr ise
1 Splunk Enterprise
1 1 ()
/ ( INDEXED_EXTRACTIONS )
()
35
-
Splunk
inputs.conf inputs.conf
(LINE_BREAKER TRUNCATE )
inputs.confprops.conf
CHARSET
NO_BINARY_CHECK
CHECK_METHOD
CHECK_FOR_HEADER
PREFIX_SOURCETYPE
sourcetypewmi.confregmon-filters.conf
props.confINDEXED_EXTRACTIONS
props.confLINE_BREAKERTRUNCATESHOULD_LINEMERGEBREAK_ONLY_BEFORE_DATE TIME_PREFIXTIME_FORMATDATETIME_CONFIG (datetime.xml)TZ TRANSFORMS SEDCMD
MORE_THAN LESS_THANtransforms.conf
props.conf TRANSFORMS LOOKAHEADDEST_KEYWRITE_METADEFAULT_VALUE REPEAT_MATCH
props.confSEGMENTATION
indexes.confsegmenters.conf
props.confEXTRACT
REPORT
LOOKUP
KV_MODE
FIELDALIAS
EVAL
rename
transforms.confprops.conf REPORT filenameexternal_cmd FIELDS DELIMSMV_ADD
bin /savedsearches.confeventtypes.conftags.confcommands.conf
36
-
commands.confalert_actions.confmacros.conffields.conftransactiontypes.confmultikv.conf
Splunk
props.confCHECK_FOR_HEADERLEARN_MODELmaxDist
Splunk $SPLUNK_HOME/etc/ Splunk
Splunk Splunk
Splunk Splunk
Splunk
Splunk
.conf Splunk Enterprise
./splunk validate files 2
-manifest manifest manifest Splunk Enterprise manifest -type conf .conf
2
splunkd conf
splunkd Splunk Enterprise ( conf ) splunkd.log Splunk Web limits.conf
limits.conf 2
37
-
Splunk Web
limits.conf.spec
I/O Splunk I/O
manifest
Splunk Web Splunk Web
1. Splunk Web 2. Splunk & & & app 3. App 4.
Splunk $SPLUNK_HOME/bin $SPLUNK_HOME/lib Windows %SPLUNK_HOME%\Python2.7\ Splunk AIX Splunk Splunk Splunk Splunk 2 1 $SPLUNK_HOME Splunk splunkd etc/splunk.version Splunk
server/status/installed-file-integrity REST API server/status/installed-file-integrity
limits.conf Splunk Enterprise REST
[Splunk Enterprise ]
38
-
(CLI) (CLI) Splunk Enterprise Splunk Enterprise CLI CLI
Splunk (CLI) CLI /
CLI CLI
Splunk CLI $SPLUNK_HOME/bin (Windows %SPLUNK_HOME%\bin)
Splunk Web Sett ings > Server sett ings > General sett ingsSett ings > Server sett ings > General sett ings Splunk
Splunk CLI
PowerShell Splunk Splunk
CLI CLI
Splunk CLI Splunk CLI search dispatch CLI Splunk
CLI
UNIXUNIX WindowsWindows
./splunk help ./splunk help
CLI CLI CLI
* nix CLI * nix CLI
root Splunk $SPLUNK_HOME/bin CLI
Splunk Enterprise Linux/BSD/Solaris
# export SPLUNK_HOME=/opt/splunk
# export PATH=$SPLUNK_HOME/bin:$PATH
Splunk Enterprise Mac
# export SPLUNK_HOME=/Applications/Splunk
# export PATH=$SPLUNK_HOME/bin:$PATH
CLI
./splunk
CLI $SPLUNK_HOME :
*nix source /opt/splunk/bin/setSplunkEnv
Windows splunk.exe envvars > setSplunkEnv.bat & setSplunkEnv.bat
Mac OS X /Mac OS X /
Mac OS X /sudosudo su - root CLI sudo (rootsudo )
Windows CLI Windows CLI 39
-
Windows CLI PowerShell
1. PowerShell 2. Splunk Enterprise bin 3. splunk Splunk
C:\Program Files\Splunk\bin> splunk status
splunkd is running.
splunk helpers are running.
CLI CLI CLI
Windows Splunk Windows Splunk
Windows CLI CLI Windows
Splunk Splunk
1. PowerShell 2. PowerShell
PowerShellPowerShell
$splunk_home=C:\Program Files\Splunk set SPLUNK_HOME="C:\Program Files\Splunk"
3. Splunk
PowerShellPowerShell
$splunk_home\bin\splunk status%SPLUNK_HOME%\bin\splunk add forward-server
192.168.1.100:9997 -auth admin:changeme
Splunk Splunk
MS TechNet
AnswersAnswers
Splunk AnswersSplunk CLI
CLI CLI
Splunk CLI CLI CLI
CLI CLI
CLI Splunk CLI
help
./splunk help
CLI
/App authapp uri
./splunk [command] [object] [-parameter | ]... [-app] [-owner] [-uri] [-auth]
40
-
app App App
auth
owner /
uri () Splunk
appapp
CLI app create app enable app App CLI
./splunk command object [-parameter value]... -app appname
CLI App App
./splunk search "eventype=error | stats count by source" -deatach f -preview t -app unix
authauth
CLI -authauth
auth CLI
./splunk command object [-parameter value]... -auth username:password
uriuri
Splunk -uri
./splunk command object [-parameter value]... -uri specified-server
Splunk
[http|https]://name_of_server:management_port
name_of_server IP IP IPv4 IPv6 (specified-server 127.0.0.1:80 "[2001:db8::1]:80")splunkd IPv4 IPv6 Splunk IPv6
splunkserver 8089
./splunk search "host=fflanda error 404 *.gif" -auth admin -uri https://splunkserver:8089
CLI
Splunk CLI
CLI CLI
CLI / CLI
./splunk help commands
CLI
CLI CLI
41
-
CLI
./splunk help clustering
CLI
Splunk CLI Splunk CLI
CLI Splunk (splunkd) Web (splunkweb)
./splunk help controls
Splunk
CLI CLI
Splunk Splunk Splunk (main) CLI
./splunk help datastore
./splunk help index
Splunk
CLI CLI
CLI
./splunk help distributed
/ CLI / CLI
Splunk 1 CLI
./splunk help forwarding
CLI CLI
CLI Splunk
./splunk help search
./splunk help rtsearch
search-commandssearch-fields search-modifiers
./splunk help search-commands
./splunk help search-fields
./splunk help search-modifiers
Splunk CLI
CLI CLI CLI CLI
CLI CLI
Splunk CLI
42
-
CLI CLI CLI CLI CLI
Splunk () Splunk Splunk
Splunk CLI Splunk CLI
CLI
./splunk [] [[-] ]...
add execforward-serverindexlicenser-poolslicensesmastermonitoroneshotsaved-searchsearch-servertcpudpuser
1.1. /var/log
./splunk add monitor /var/log/
2.2.
./splunk add cluster-master
https://127.0.0.1:8089 -secret
testsecret -multisite false'
anonymize 1.1./tmp/messages IP
./splunk anonymize file -source
/tmp/messages
2.2. name-terms Mynames.txt
./splunk anonymize file -source
/tmp/messages -name_terms
$SPLUNK_HOME/bin/Mynames.txt
apply cluster-bundle 1.1.
./splunk apply cluster-bundle
2.2.Skip-validation
./splunk apply cluster-bundle --
skip-validation
clean alleventdataglobaldatainputdatauserdatakvstore 1.1.Splunk eventdata raw
./splunk clean eventdata
43
-
2.2. globaldata
./splunk clean globaldata
cmd btoolclassifylocktestlocktoolparsetestpcregextestregextestsearchtestsigntoolwalklex
1.1.splunk btool inputs list splunkenvvars
./splunk cmd btool inputs list
2.2.
./splunk cmd /bin/ls
create app 1.1.myNewApp
./splunk create app myNewApp -
template sample_app
createssl
diag
disable appboot-startdeploy-clientdeploy-serverdist-searchindexlistenlocal-indexmaintenance-modeshcluster-maintenance-modeperfmonwebserverweb-sslwmi
1.1.
'./splunk disable maintenance-
mode'
2.2. logs1
./splunk disable eventlog logs1
display appboot-startdeploy-clientdeploy-serverdist-searchjobslistenlocal-index
1.1.App /
./splunk display app
2.2.unix App
./splunk display app unix
edit appcluster-configshcluster-configexecindexlicenser-localslavelicenser-groupsmonitorsaved-searchsearch-servertcpudpuser
1.1.
./splunk edit cluster-config -
mode slave -site site2
2.2./var/log
./splunk edit monitor /var/log -
follow-only true
enable appboot-startdeploy-clientdeploy-serverdist-searchindexlistenlocal-indexmaintenance-modeshcluster-maintenance-modeperfmonwebserverweb-sslwmi
1.1.
'./splunk enable maintenance-
44
-
mode'
2.2.col1
./splunk enable perfmon col1
export eventdatauser data 1.1.Splunk /tmp/apache_raw_404_logs
./splunk export eventdata -index
my_apache_data -dir
/tmp/apache_raw_404_logs -host
localhost -terms "404 html"
fsck repairscanclear-bloomfilter
import userdata 1.1. /tmp/export.dat
./splunk import userdata -dir
/tmp/export.dat
install app 1.1. foo.tar Splunk App
./splunk install app foo.tar
2.2. foo.tgz Splunk App
./splunk install app foo.tgz
list cluster-bucketscluster-configcluster-generationcluster-peersdeploy-clientsexcess-bucketsexecforward-serverindexinputstatuslicenser-groupslicenser-localslavelicenser-messageslicenser-poolslicenser-slaveslicenser-stackslicensesjobsmaster-infomonitorpeer-infopeer-bucketsperfmonsaved-searchsearch-servertcpudpuserwmi
1.1. splunkd
./splunk list monitor
2.2.
./splunk list licenses
loginlogout
1.1.enforce-counts
./splunk offline
2.2.--enforce-counts
./splunk offline --enforce-
counts
45
-
package app 1.1. App URI
./splunk package app stubby
rebuild
refresh deploy-clients
reload adauthdeploy-serverindexlistenmonitorregistryscripttcpudpperfmonwmi
1.1.
./splunk reload deploy-server
2.2.my_serverclass
./splunk reload deploy-server -
class my_serverclass
remove appcluster-peersexcess-bucketsexecforward-serverindexjobslicenser-poolslicensesmonitorsaved-searchsearch-servertcpudpuser
1.1.testsecret secret/pass4SymmKey
'./splunk remove cluster-master
https://127.0.0.1:8089 -secret
testsecret'
2.2.Unix App
./splunk remove app unix
rolling-restart
cluster-peersshcluster-members
rtsearch appbatchdetachearliest_timeheaderidindex_earliestindex_latestmax_timemaxoutoutputpreviewrt_idtimeouturiwrap
1.1.
./splunk rtsearch 'error' -wrap
false
2.2.rtsearch
./splunk rtsearch
'eventtype=webaccess error | top
clientip'
search appbatchdetachearliest_timeheaderidindex_earliestindex_latestlatest_timemax_timemaxoutoutputpreviewtimeouturiwrap
1.1. ID TTL
./splunk search '*' -detach true
2.2.eventtype=webaccess error
./splunk search
'eventtype=webaccess error' -
wrap 0
set datastore-dirdeploy-polldefault-hostnamedefault-indexminfreembservernameserver-typesplunkd-portweb-portkvstore-port
1.1. Ready
46
-
./splunk set indexing-ready
2.2.bologna:1234
./splunk set deploy-poll
bologna:1234
show configcluster-bundle-statusdatastore-dirdeploy-polldefault-hostnamedefault-indexjobsminfreembservernamesplunkd-portweb-portkvstore-port
1.1.
./splunk show log-level
2.2.Splunk Enterprise
./splunk show deploy-poll
spool
startstoprestart
splunkdsplunkweb
status splunkdsplunkweb
validate 1.1.indexes.conf
./splunk validate index main
version
CLI CLI
CLI CLI Splunk Enterprise
CLI CLI
Splunk CLI Splunk Splunk CLI cmd
./splunk cmd
CLI
CLI Splunk Enterpr ise CLI Splunk Enterpr ise
CLI uri Splunk Enterprise
uri CLI
CLI
Splunk Free () $SPLUNK_HOME/etc/system/local/server.conf
allowRemoteLogin=always
add oneshot
47
-
CLI CLI
CLI uri
./splunk command object [-parameter ]... -uri
uri specified-server
[http|https]://name_of_server:management_port
name_of_server Splunk Enterprise IP
uri mgmtHostPort Splunk Enterprise web.conf web.conf
CLI CLI CLI
splunkserver
./splunk search "host=fflanda error 404 *.gif" -uri https://splunkserver:8089
CLI CLI
App App
splunkserver App
./splunk display app -uri https://splunkserver:8089
URI URI
SPLUNK_URI URI URI uri
SPLUNK_URI
$ export SPLUNK_URI=[http|https]://name_of_server:management_port # For Unix shells
C:\> set SPLUNK_URI=[http|https]://name_of_server:management_port # For Windows shell
SPLUNK_URI
$ export SPLUNK_URI=https://splunkserver:8089
CLI CLI
CLI
StartstoprestartStatusversion
CLI CLI CLI
CLI CLI
CLI CLI ()
server.conf
[httpServer]
cliLoginBanner =
48
-
allowBasicAuth = true|false
basicAuthRealm =
cliLoginBanner =
Splunk CLI ()
cliLoginBanner="Line 1","Line 2","Line 3"
2
cliLoginBanner="This is a line that ""contains quote characters""!"
allowBasicAuth = true|false
Splunk (authtoken) HTTP Basic Splunk true REST Web REST API UI CLI true
basicAuthRealm =
allowBasicAuth Web //splunk
49
-
Splunk Enterprise Splunk Enterprise Splunk Enterpr ise Splunk Enterpr ise
Splunk Enterprise /
Windows Splunk Enterpr ise Windows Splunk Enterpr ise
Windows Splunk Enterprise C:\Program Files\Splunk Splunk Splunk $SPLUNK_HOME Splunk Enterprise $SPLUNK_HOME(Windows %SPLUNK_HOME%) C:\Program Files\Splunk
Splunk Enterprise splunkd splunkweb 2 splunkdSplunk Web Splunk Enterprise Splunk Enterprise Windows Splunk Enterprise
Windows Splunk
1.1.Splunk Enterprise [] Splunk (Start ->Control Panel -> Administrative Tools -> Services )
Web splunkdWeb ()splunkweb
2.2.NET START NET STOP SplunkEnterprise
Web splunkdWeb ()splunkweb
3.3.%SPLUNK_HOME%\bin
> splunk [start|stop|restart]
Windows Splunk Enterprise Windows Splunk Enterprise
Splunk Enterprise (splunkd splunkweb)
Splunk Web Splunk Web splunkd Splunk Web
Splunk Enterprise
1.1. %SPLUNK_HOME%\etc\system\local
2.2.%SPLUNK_HOME%\etc\system\local\web.conf web.conf %SPLUNK_HOME%\etc\system\local
3.3.web.conf appserverPorts httpport
[settings]
appServerPorts = 0
httpport = 8000
4.4.
5.5.Splunk Enterprise splunkd splunkweb
6.6.http://: Splunk Enterprise
Splunk Enterprise %SPLUNK_HOME%\etc\system\local\web.conf appServerPorts httpport
UNIX Splunk Enterpr ise UNIX Splunk Enterpr ise
Splunk Enterprise *nix 1 splunkd splunkd Splunk Web Splunk Enterprise SplunkEnterprise UNIX Splunk Enterprise
50
-
Splunk Enterprise Splunk Enterprise
Splunk Enterprise
# splunk start
Splunk Enterprise service init.d
# service splunk start
splunkd ( Splunk Web )
# splunk start splunkd
() # splunk start splunkweb
web.conf startwebserver appServerPorts 0 splunkweb splunkweb UNIX Splunk Enterprise
Splunk Enterprise (splunkd splunkweb)
# splunk restart
# splunk restart splunkd
() # splunk restart splunkweb
UNIX Splunk Enterprise UNIX Splunk Enterprise
Splunk Enterprise splunkd splunkweb Splunk Enterprise
Splunk Enterprise
1.1.$SPLUNK_HOME/etc/system/default
2.2.web.conf $SPLUNK_HOME/etc/system/local
3.3.$SPLUNK_HOME/etc/system/local web.conf
4.4.web.conf appserverPorts httpport
[settings]
appServerPorts = 0
httpport = 8000
5.5.
6.6.Splunk Enterprise (UNIX Splunk Enterprise )splunkd splunkweb
7.7.http://: Splunk Enterprise
Splunk Enterprise %SPLUNK_HOME%\etc\system\local\web.conf appServerPorts httpport
Splunk Enterprise Splunk Enterprise
Splunk Enterprise
# splunk stop
splunkd Splunk Web
# splunk stop splunkd
() # splunk stop splunkweb
51
-
Splunk Splunk
Splunk Enterprise
# splunk status
splunkd is running (PID: 3162).
splunk helpers are running (PIDs: 3164).
Splunk Enterprise
splunkweb is running (PID: 3216).
UNIX splunk status Splunk Enterprise
splunk status 0splunk status Linux Standard Base 3 splunk status
Splunk Enterprise ps
# ps aux | grep splunk | grep -v grep
Solaris ps aux -ef
# ps -ef | grep splunk | grep -v grep
Splunk Web Splunk Enterpr ise Splunk Web Splunk Enterpr ise
Splunk Web Splunk
1.1.[] > [][] > []
2.2.[Splunk ][Splunk ]
splunkd splunkweb
Splunk Splunk
Splunk Splunk *nix
root sudo sudo
Windows Windows
Windows Splunk Windows
* nix * nix
Splunk init (OS )
1. Splunk
2. root sudo
3. [sudo] $SPLUNK_HOME/bin/splunk enable boot-start
Root Root
root Splunk -user Splunk
52
-
bob
[sudo] $SPLUNK_HOME/bin/splunk enable boot-start -user bob
root Splunk Splunk root
1. 2. root 3. /etc/init.d/splunk 4.
su -
5.
MacOS MacOS
Splunk Mac /System/Library/StartupItems Mac Mac Splunk
sudo sudo Mac Splunk
1. 2. App 3. Splunk bin
cd /Applications/Splunk/bin
4.
[sudo] ./splunk enable boot-start
AIX AIX
Splunk Enterprise AIX Splunk Splunk 6.3.0 AIX Splunk Enterprise
AIX Splunk (SRC)
AIX Splunk AIX SRC Splunk
mkssys -G splunk -s splunkd -p -u -a _internal_exec_splunkd -S -n 2 -f 9
mkssys -G splunk -s splunkweb -p -u -a _internal_exec_splunkweb -S -n 15 -f 9
(Splunk Enterprise )
SRC Splunk Enterprise Splunk
/usr/bin/startsrc -s splunkd Splunk /usr/bin/stopsrc -s splunkd Splunk
$SPLUNK_HOME ./splunk [start|stop] SRC
Splunk boot-start is enabled. Please use /usr/bin/[startsrc|stopsrc] -s splunkd to [start|stop] Splunk.
$SPLUNK_HOME Splunk Enterprise
[sudo] ./splunk disable boot-start
mkssys IBM pSeries AIX Information Center Web Mkssys command (http://publib.boulder.ibm.com/infocenter/pseries/v5r3/index.jsp?topic=/com.ibm.aix.cmds/doc/aixcmds3/mkssys.htm) SRC IBM (https://www-01.ibm.com/support/knowledgecenter/#!/ssw_aix_71/com.ibm.aix.genprogc/src.htm)
53
-
Splunk root AIX Splunk root AIX
1. AIX 2. root sudo
AIX sudo
3. Splunk bin 4.
[sudo] ./splunk enable boot-start
Splunk root AIX Splunk root AIX
1. AIX 2. root sudo
AIX sudo
3. Splunk splunk
[sudo] mkuser splunk
[sudo] chown -R splunk
4. Splunk bin 5. -user
[sudo] ./splunk enable boot-start -user
Splunk
[sudo] $SPLUNK_HOME/bin/splunk disable boot-start
Windows Windows
Windows Splunk Windows [] Splunk (splunkd splunkweb)
$SPLUNK_HOME/etc/init.d/READMESplunk help boot-start
Splunk
Enterprise (60 ) 500 MB/
Enterprise
Splunk Splunk
Splunk splunk.com [MyOrders]
Splunk Web [] > [][] > []
Splunk Enterprise
54
-
Splunk Enterprise
*nix setenv export
# export SPLUNK_HOME = /opt/splunk02/splunk
Splunk Enterprise
Windows PowerShell set
C:\> set SPLUNK_HOME = "C:\Program Files\Splunk"
SPLUNK_HOME Splunk Enterprise
SPLUNK_DB Splunk Enterprise
SPLUNK_BINDIP Splunk Enterprise IP IP
SPLUNK_IGNORE_SELINUX
SELinux Linux Splunk Enterprise SELinux Splunk Enterprise SplunkEnterprise SELinux
SPLUNK_OS_USER
Splunk Enterprise splunkroot Splunk Enterprise splunksplunk
SPLUNK_SERVER_NAME splunkd (Windows ) (*nix )
SPLUNK_WEB_NAME splunkweb (Windows ) (*nix )
splunk-launch.conf (web.conf) Splunk splunk-launch.conf
Splunk Enterprise (admin/changeme) Splunk
55
-
10
Splunk WebSplunk Web
1. Splunk Web 2. [][] 3. [] [][] 4. [][] 5. [][] 6. [][]
CLICLI
Splunk CLI
splunk edit user
CLI Splunk Enterprise -auth changeme foo
splunk edit user admin -password foo -role admin -auth admin:changeme
*nix \ (')
splunk edit user admin -password 'FFL14io!23ur$' -role admin -auth admin:changeme
splunk edit user admin -password FFL14io!23ur\$ -role admin -auth admin:changeme
Windows (^) (")
splunk edit user admin -password "FFL14io!23ur>" -role admin -auth admin:changeme
splunk edit user admin -password FFL14io!23ur^> -role admin -auth admin:changeme
Splunk Enterprise
HTTP/HTTPS HTTP/HTTPS Splunk Web 8000 appserverappserver 8065splunkd Splunk Web splunkd 8089 KV KV 8191
Splunk 9997
Splunk Web Splunk Web
56
-
1. Splunk Web 2. [][] 3. [] [][] 4. [] 5. [][] [Web ][Web ] [][]
Splunk CLI Splunk CLI
Splunk CLI CLI set Splunk Web 9000
splunk set web-port 9000
splunkd 9089
splunk set splunkd-port 9089
Splunk Splunk
Splunk Splunk Web Splunk
Splunk DNS IP
Splunk Web Splunk Web
Splunk
1. Splunk Web 2. [][] 3. [] [][] 4. [] 5. [Splunk ][Splunk ] [][]
Splunk CLI Splunk CLI
CLI set servername foo
splunk set servername foo
Splunk
Splunk Web Splunk Web
1. Splunk Web 2. [][] 3. [] [][] 4. [] 5. [][] [][] 6. CLI Splunk Enterprise $SPLUNK_HOME/bin/ (*nix) %SPLUNK_HOME%\bin
(Windows)
splunk restart
CLI
Splunk CLI Splunk CLI
CLI set datastore-dir /var/splunk/
57
-
splunk set datastore-dir /var/splunk/
Splunk
Splunk Web Splunk Web
1. Splunk Web 2. [][] 3. [] [][] 4. [] 5. [][] [][]
Splunk CLI Splunk CLI
CLI set minfreemb 2000 MB
splunk set minfreemb 2000
& App 24 24 App [general_default] SPLUNK_HOME/etc/apps/user-prefs/local/user-prefs.conf
& App Splunk Apps
Splunk Web Splunk Web
1.1.Splunk Web
2.2.[][]
3.3.[][]
4.4.[][]
5.5.[][] [][]
ui_prefs.conf
ui-prefs.conf ui-prefs.conf Splunk Web
ui-prefs.conf
Splunk Web []
user-prefs.conf
ui-prefs.conf
Splunk IP Splunk IP
Splunk IP Splunk IP 0.0.0.0 IP
58
-
Splunk IP Splunk (splunkd)
TCP 8089 ()
SplunkTCP TCP UDP
Splunk Web IP web.conf server.socket_host
Splunk SPLUNK_BINDIP=
$SPLUNK_HOME/etc/splunk-launch.conf SPLUNK_BINDIP Splunk 127.0.0.1 () splunk-launch.conf
# Modify the following line to suit the location of your Splunk install.
# If unset, Splunk will use the parent of the directory this configuration
# file was found in
#
# SPLUNK_HOME=/opt/splunk
SPLUNK_BINDIP=127.0.0.1
web.conf mgmtHostPort 127.0.0.1:8089 SPLUNK_BINDIP 127.0.0.1mgmtHostPort IP splunk-launch.conf
SPLUNK_BINDIP=10.10.10.1
web.conf ( 8089 )
mgmtHostPort=10.10.10.1:8089
mgmtHostPort web.conf
IP v6 IP v6
4.3 web.conf mgmtHostPort IPv6 splunkd IPv6 (Splunk IPv6 server.conf ) 127.0.0.1:8089 [::1]:8089
Splunk IPv6 Splunk IPv6
Splunk IPv6
Splunk TCP UDP server.conf server.confinputs.conf inputs.conf
Splunk 4.3 IPv6 IPv6 Splunk WebCLI
IP v6 IP v6
Splunk OS ( OS)IPv6
HPUX PA-RISCSolaris 89AIX
IP v6 Splunk IP v6 Splunk
59
-
Splunk IPv6
IPv6 DNS IPv4 IPv4 IPv6
IPv6 IPv4
IPv4 DNS IPv6
Splunk IPv6 $SPLUNK_HOME/etc/system/local server.conf
listenOnIPv6=[yes|no|only]
yes splunkd IPv6 IPv4 no splunkd IPv4 only Splunk IPv6
connectUsingIpVersion=[4-first|6-first|4-only|6-only|auto]
4-first splunkd IPv4 IPv6 6-first 4-first Web IPv6 IPv6 4-only splunkd DNS IPv6 6-only splunkd DNS IPv4 auto splunkd listenOnIPv6
splunkd IPv4 4-only splunkd IPv6 6-only splunkd 6-first
DNS connectUsingIpVersion = 6-first IPv4 ("server=10.1.2.3:9001")
IP v6 IP v6
IPv6 Splunk IPv6 listenOnIPv6 [udp], [tcp], [tcp-ssl], [splunktcp] [splunktcp-ssl] inputs.conf server.conf
IP v6 IP v6
Splunk IPv6 outputs.conf
[tcpout] server [host]:port IPv6 [tcpout-server] [host]:port IPv6 [syslog] server [host]:port IPv6
IP v6 IP v6
Splunk IPv6 distsearch.conf
servers [host]:port IPv6 heartbeatMcastAddr IPv6 Splunk 4.3
IP v6 Splunk Web IP v6 Splunk Web
Web IPv6 splunkweb splunkd 4.3 web.conf listenOnIPv6 server.conf Splunk Web
web.conf mgmtHostPort IPv6 splunkd IPv6 ( server.conf ) 127.0.0.1:8089 [::1]:8089
Splunk CLI IP v6Splunk CLI IP v6
Splunk CLI IPv6 splunkd mgmtHostPort web.conf $SPLUNK_URI -uri -uri IPv6 IP -uri"[2001:db8::1]:80"
60
-
"[2001:db8::1]:80"
IP v6 SSOIP v6 SSO
IPv6 SSO trustedIP web.conf server.conf
web.conf mgmtHostPort trustedIP
[settings]
mgmtHostPort = [::1]:8089
startwebserver = 1
listenOnIPv6=yes
trustedIP=2620:70:8000:c205:250:56ff:fe92:1c7,::1,2620:70:8000:c205::129
SSOMode = strict
remoteUser = X-Remote-User
tools.proxy.on = true
SSO Splunk Enterprise
Splunk Splunk Splunk
Splunk LDAP (SSL) Splunk SSL
Splunk Enterprise Splunk SplunkEnterprise
Splunk Inc. (Splunk) Splunk
Splunk AppsSplunk Apps
App App
Splunk Apps for AWSSplunk Apps for AWS Splunk Splunk Splunk Splunk DB Connect Splunk DB Connect Splunk Apps for ServiceNowSplunk Apps for ServiceNow Splunk Splunk Apps for AkamaiSplunk Apps for Akamai Splunk
Splunk Splunk
Splunk Splunk
/ /
> >
> >
True-up
61
-
Web
> > > >
Web
> >
Web
> > > >
Web
> >
Splunk
SplunkApps
App
App
App
App
Diag
Diag
() Splunk Web
[][][][][OK][OK]
[OK][OK][] > [][] > []
edit_telemetry_settings
62
-
Splunk Web
1. [] > [][] > [] 2.
Javascript splkmobile URL Splunk Web
component JSON
Splunk Enterprise 7.0.0 Splunk Enterprise 7.0.0
Splunk Enterprise 7.0.0 GUID
> > 6.6.0 Splunk Enterprise 6.5.0 Splunk Enterprise Splunk Enterprise6.4.x > >
Splunk Enterprise version 7.0.0
App
App
Splunk Enterprise Splunk Enterprise
Splunk Enterprise
Splunk GUID
App App
licensing.stack
63
-
ID licensing.stack
deployment.clustering.indexer
deployment.clustering.member
deployment.clustering.searchhead
Splunk OS/CPU Splunk
deployment.forwarders
deployment.distsearch.peer
deployment.index
deployment.licensing.slave
GUID (/) CPU () OS/Splunk
deployment.node
deployment.node
performance.indexing
performance.search
deployment.shclustering.member
usage.indexing.sourcetype
usage.users.active
usage.search.type
usage.search.concurrent
App
deployment.app
App
usage.app.page
IdId IdId Id Iddata.guid GUID
app.session.session_start
app.session.pageview
64
-
app.session.dashboard.pageview
app.session.pivot.load
app.session.pivot.interact
app.session.search.interact
licensing.stack
ID licensing.stack
Splunk JSON ID JSON
{
"component": "deployment.app",
"data": {
"name": "alert_logevent",
"enabled": true,
"version": "7.0.0",
"host": "ip-10-222-17-130"
},
"visibility": "anonymous,support",
"timestamp": 1502845738,
"date": "2017-08-15",
"transactionID": "01AFCDA0-2857-423A-E60D-483007F38C1A",
"executionID": "2A8037F2793D5C66F61F5EE1F294DC",
"version": "2",
"deploymentID": "9a003584-6711-5fdc-bba7-416de828023b"
}
JSON
[]
deployment.app
App
{
"name": "alert_logevent",
"enabled": true,
"version": "7.0.0",
"host": "ip-10-222-17-130"
}
{
"host": "docteam-unix-5",
65
-
deployment.clustering.indexer
"summaryReplication": true,
"siteReplicationFactor": null,
"enabled": true,
"multiSite": false,
"searchFactor": 2,
"siteSearchFactor": null,
"timezone": "-0700",
"replicationFactor": 3
}
deployment.clustering.member
{
"site": "default",
"master": "ip-10-212-28-184",
"member": {
"status": "Up",
"guid": "471A2F25-CD92-4250-AA17-4E49819B897A",
"host": "ip-10-212-28-4"
}
}
deployment.clustering.searchhead
{
"site": "default",
"master": "ip-10-222-27-244",
"searchhead": {
"status": "Connected",
"guid": "1D4D422A-ADDE-437D-BA07-2B0C319D23BA",
"host": "ip-10-212-55-3"
}
}
deployment.distsearch.peer
{
"peer": {
"status": "Up",
"guid": "472A5F22-CC92-4220-AA17-4E48919B897A",
"host": "ip-10-222-21-4"
},
"host": "ip-10-222-27-244"
}
deployment.forwarders
{
"hosts": 168,
"instances": 497,
"architecture": "x86_64",
"os": "Linux",
"splunkVersion": "6.5.0",
"type": "uf",
"bytes": {
"min": 389,
"max": 2291497,
"total": 189124803,
"p10": 40960,
"p20": 139264,
"p30": 216064,
"p40": 269312,
"p50": 318157,
"p60": 345088,
"p70": 393216,
"p80": 489472,
"p90": 781312
}
}
{
"name": "_audit",
"type": "events",
"total": {
"rawSizeGB": null,
"maxTime": 1502845730.0,
"events": 1,
"maxDataSizeGB": 488.28,
"currentDBSizeGB": 0.0,
"minTime": 1502845719.0,
66
-
deployment.index
"buckets": 0
},
"host": "ip-10-222-17-130",
"buckets": {
"thawed": {
"events": 0,
"sizeGB": 0.0,
"count": 0
},
"warm": {
"sizeGB": 0.0,
"count": 0
},
"cold": {
"events": 0,
"sizeGB": 0.0,
"count": 0
},
"coldCapacityGB": "unlimited",
"hot": {
"sizeGB": 0.0,
"max": 3,
"count": 0
},
"homeEventCount": 0,
"homeCapacityGB": "unlimited"
},
"app": "system"
}
}
deployment.licensing.slave
{
"master": "9d5c20b4f7cc",
"slave": {
"pool": "auto_generated_pool_enterprise",
"guid": "A5FD9178-2E76-4149-9FGF-55DCE35E38E7",
"host": "9d5c20b4f7cc"
}
}
deployment.node
{
"guid": "123309CB-ABCD-4BC9-9B6A-185316600F23",
"host": "docteam-unix-3",
"os": "Linux",
"osExt": "Linux",
"osVersion": "3.10.0-123.el7.x86_64",
"splunkVersion": "6.5.0",
"cpu": {
"coreCount": 2,
"utilization": {
"min": 0.01,
"p10": 0.01,
"p20": 0.01,
"p30": 0.01,
"p40": 0.01,
"p50": 0.02,
"p60": 0.02,
"p70": 0.03,
"p80": 0.03,
"p90": 0.05,
"max": 0.44
},
"virtualCoreCount": 2,
"architecture": "x86_64"
},
"memory": {
"utilization": {
"min": 0.26,
"max": 0.34,
"p10": 0.27,
"p20": 0.28,
"p30": 0.28,
67
-
"p40": 0.28,
"p50": 0.29,
"p60": 0.29,
"p70": 0.29,
"p80": 0.3,
"p90": 0.31
},
"capacity": 3977003401
},
"disk": {
"fileSystem": "xfs",
"capacity": 124014034944,
"utilization": 0.12
}
}
depoyment.shclustering.member
{
"site": "default",
"member": {
"status": "Up",
"guid": "290C48B1-50D3-48C9-AF86-14F43000CC5C",
"host": "ip-10-222-19-223"
},
"captain": "ip-10-222-19-253"
}
licensing.stack
{
"type": "download-trial",
"guid": "4F735357-F278-4AD2-BBAB-139A85A75DBB",
"product": "enterprise",
"name": "download-trial",
"licenseIDs": [
"553A0D4F-3B7B-4AD5-B241-89B94386A07F"
],
"quota": 524288000,
"pools": [
{
"quota": 524288000,
"consumption": 304049405
}
],
"consumption": 304049405,
"subgroup": "Production",
"host": "docteam-unix-9"
}
performance.indexing
{
"host": "docteam-unix-5",
"thruput": {
"min": 412,
"max": 9225,
"total": 42980219,
"p10": 413,
"p20": 413,
"p30": 431,
"p40": 450,
"p50": 474,
"p60": 488,
"p70": 488,
"p80": 488,
"p90": 518
}
}
performance.search
{
"latency": {
"min": 0.01,
"max": 1.33,
"p10": 0.02,
"p20": 0.02,
"p30": 0.05,
"p40": 0.16,
"p50": 0.17,
68
-
"p60": 0.2,
"p70": 0.26,
"p80": 0.34,
"p90": 0.8
}
}
app.session.dashboard.pageview
{
"dashboard": {
"autoRun": false,
"hideEdit": false,
"numCustomCss": 0,
"isVisible": true,
"numCustomJs": 0,
"hideFilters": false,
"hideChrome": false,
"hideAppBar": false,
"hideFooter": false,
"submitButton": false,
"refresh": 0,
"hideSplunkBar": false,
"hideTitle": false,
"isScheduled": false
},
"numElements": 1,
"numSearches": 1,
"numPanels": 1,
"elementTypeCounts": {
"column": 1
},
"layoutType": "row-column-layout",
"searchTypeCounts": {
"inline": 1
},
"name": "test_dashboard",
"numFormInputs": 0,
"formInputTypeCounts": {},
"numPrebuiltPanels": 0,
"app": "search"
}
}
app.session.pivot.interact
{
"eventAction": "change",
"eventLabel": "Pivot - Report Content",
"numColumnSplits": 0,
"reportProps": {
"display.visualizations.charting.legend.placement": "none",
"display.visualizations.type": "charting",
"earliest": "0",
"display.statistics.show": "1",
"display.visualizations.charting.chart": "column",
"display.visualizations.charting.axisLabelsX.majorLabelStyle.rotation":
"-90",
"display.visualizations.show": "1",
"display.general.type": "visualizations"
},
"numRowSplits": 1,
"eventCategory": "PivotEditorReportContent",
"app": "search",
"page": "pivot",
"numAggregations": 1,
"numCustomFilters": 0,
"eventValue": {},
"locale": "en-US",
"context": "pivot"
}
{
"eventAction": "load",
"eventLabel": "Pivot - Page",
"numColumnSplits": 0,
69
-
app.session.pivot.load
"reportProps": {
"display.visualizations.charting.legend.placement": "none",
"display.visualizations.type": "charting",
"earliest": "0",
"display.statistics.show": "1",
"display.visualizations.charting.chart": "column",
"display.visualizations.show": "1",
"display.general.type": "visualizations"
},
"numRowSplits": 1,
"eventCategory": "PivotEditor",
"app": "search",
"page": "pivot",
"numAggregations": 1,
"numCustomFilters": 0,
"locale": "en-US",
"context": "pivot"
}
app.session.search.interact
app.session.pageview
{
"app": "launcher",
"page": "home"
}
app.session.session_start
{
"app": "launcher",
"splunkVersion": "6.6.0",
"os": "Ubuntu",
"browser": "Firefox",
"browserVersion": "38.0",
"locale": "en-US",
"device": "Linux x86_64",
"osVersion": "not available",
"page": "home",
"guid": "2550FC44-64E5-43P5-AS44-6ABD84C91E42"
}
usage.app.page
App
{
"app": "search",
"locale": "en-US",
"occurrences": 1,
"page": "datasets",
"users": 1
}
usage.indexing.sourcetype
{
"name": "vendor_sales",
"bytes": 2026348,
"events": 30245,
"hosts:" 1
}
usage.search.concurrent
{
"host": "docteam-unix-5"
"searches": {
"min": 1,
"max": 11,
"p10": 1,
"p20": 1,
"p30": 1,
"p40": 1,
"p50": 1,
"p60": 1,
"p70": 1,
"p80": 2,
"p90": 3
}
}
usage.search.type
{
"ad-hoc": 1428,
70
-
usage.search.type "scheduled": 225
}
usage.users.active
{
"active": 23
}
[]
licensing.stack
{
"type": "download-trial",
"guid": "4F735357-F278-4AD2-BBAB-139A85A75DBB",
"product": "enterprise",
"name": "download-trial",
"licenseIDs": [
"553A0D4F-3B7B-4AD5-B241-89B94386A07F"
],
"quota": 524288000,
"pools": [
{
"quota": 524288000,
"consumption": 304049405
}
],
"consumption": 304049405,
"subgroup": "Production",
"host": "docteam-unix-9"
}
Splunk
MINT Splunk Splunk
Splunk ID Splunk ID Splunk
Splunk
Splunk
1. Splunk Web 2. [] > [][] > [] 3. [][] 4. 5. [][] [][] Splunk
3 05 1 1 71
-
Splunk Enterprise 3 05
1
Splunk Enterprise Splunk Enterprise
Splunk _telemetry _telemetry 2 256 MB
App $SPLUNK_HOME/etc/apps/splunk_instrumentation
Splunk Splunk Splunk Splunk Enterprise SplunkApps Splunk Splunk Web
Splunk Web Javascript quickdraw.splunk.com
Splunk Enterprise web.conf updateCheckerBaseURL 0
Splunk Apps App app.conf check_for_updatesfalse
Splunk Enterprise
CPU x86_64
Linux
Enterprise
Splunk
GUID Enterprise, Production,
Splunk 7.0.0
App
App 1.0
Splunk 7.0
Linux
Website
72
-
73
-
Splunk Splunk Splunk Enterpr ise Splunk Enterpr ise
Splunk Enterprise Splunk
Splunk Enterprise ( 0 0 )
Splunk Enterprise SplunkEnterprise
Splunk Enterprise Enterprise Splunk
72 72 ()
Splunk Enterpr ise Splunk Enterpr ise
Splunk Enterprise 60 Enterprise 60 Splunk Enterprise 500 MB/
60 (Enterprise )SplunkFree Splunk Free Splunk Enterprise 500 MB/
Splunk Free / (Splunk Web CLI )
60 Splunk Enterprise Enterprise Splunk
Enterprise SplunkEnterprise Enterprise Splunk
150
Splunk Splunk
Splunk Splunk Splunk
Enterprise Enterprise SplunkEnterprise 6.5.0 Enterprise Free Free Forwarder Beta Enterprise Splunk App Enterprise Cloud App
Splunk Enterpr ise Splunk Enterpr ise
74
-
Splunk Enterprise Splunk SplunkEnterprise Enterprise Splunk
Enterprise
Splunk Enterprise 6.5.0 Enterprise 30 5
Enterprize Enterprise
Enterprise Enterprise
Splunk Enterprise 500 MB/Enterprise Splunk 60 Enterprise Splunk Free
Splunk Enterprise Enterprise Free
Enterprise
Sales Sales
Splunk Sales Enterprise Enterprise Splunk 60 Splunk Sales
//
Splunk //Splunk Web // 6.5.0 SplunkEnterprise
/ Enterprise Enterprise Dev/Test Enterprise
F ree F ree
Free 500 MB/
Enterprise Splunk Free Splunk Free
TCP/HTTP ( Splunk Splunk ) ()/LDAP
Splunk /index=*Splunk
Splunk Free
EnterpriseEnterprise6.5.0 6.5.0
EnterpriseEnterprise
//
EnterpriseEnterprise FreeFree
no
75
-
Splunk Web
no no
Enterprise no no
F orwarder F orwarder
()()
Forwarder Splunk
Forwarder Forwarder Enterprise Splunk
Beta Beta
Splunk Splunk Splunk Free Enterprise Beta Enterprise Splunk
() ()
Splunk Splunk
Search head () Entereprise Entereprise Enterprise ()
4.2 Forwarder Forwarder
() ()
Splunk Splunk
Enterprise ()
Splunk Enterprise
Splunk Free Splunk Free Enterprise SplunkFree
76
-
Splunk
Enterprise Sales Enterprise Splunk Enterprise Enterprise Enterprise Enterprise Sales Splunk Free Splunk Free Forwarder Forwarder /Enterprise Enterprise /Enterprise
1 1 Splunk 1 1
Enterprise/Sales -- Enterprise Sales ( Enterprise Enterprise ) Enterprise -- Splunk Enterprise Enterprise Enterprise Free -- Splunk Free Enterprise 60 Splunk Free Splunk Free Forwarder -- Splunk Splunk [] Splunk Forwarder Forwarder
[DevTest] (/)[Production] () 1
Splunk Enterprise 6.5.0 Splunk Enterprise 6.5.0 Production
Splunk
77
-
0 Splunk
1
1
Splunk /Enterprise
Splunk Splunk Enterprise Splunk
1. [] > [][] > [] 2. [][] 3. [][] [ XML [ XML
...]...] /Enterprise
4. [][] Enterprise Splunk Enterprise
Splunk
Splunk Splunk Splunk
2
Splunk 1 Enterprise Splunk Enterprise 500 MB60 Enterprise 1 Enterprise
1 2
( 5 )
78
-
6.1.x 5.x, 6.0.x|6.1.x
6.2.x 5.x6.0.x6.1.x6.2.x
6.3.x 5.x6.0.x6.1.x6.2.x6.3.x
6.4.x 5.x6.0.x6.1.x6.2.x6.3.x6.4.x
6.5.x 5.x6.0.x6.1.x6.2.x6.3.x6.4.x6.5.x
6.6.x 5.x6.0.x6.1.x6.2.x6.3.x6.4.x6.5.x6.6.x
Splunk 1 Enterprise
Enterprise 1
Splunk
Splunk Splunk Splunk CLI
1.1.Splunk Web [] > [][] > []
2.2.[][]
3.3. [ Splunk ]] [ Splunk ][ Splunk ]
4.4.IP Splunk Splunk ( 8089)
IP IPv4 IPv6 IPv6 Splunk IPv6
5.5.[] Enterprise Splunk
[] > [][] > [] [][] Enterprise Splunk
1
Splunk Splunk Splunk
79
-
CLI
Splunk 500 MB60 Enterprise Splunk 1 Enterprise
[] > [][] > [] 100 MB Enterprise Splunk
Enterprise Splunk Splunk Enterprise Enterprise auto_generated_pool_enterprise
1.1. [][] []
2.2.
3.3.[]
Enterprise auto_generated_pool_enterprise [][]
80
-
1.1. []
2.2.
3.3. ()
4.4.
5.5.
Splunk Splunk Splunk
URI
2
1.1. URI
2.2.[][] [] []
1.1. URI
2.2.[[]]
CLI CLI
Splunk CLI
Splunk Splunk Splunk
Splunk CLI Splunk CLI
Splunk CLI
Splunk REST API REST API
CLI CLI 81
-
Splunk CLI
add licenseslicenser-poolsEnterprise
edit licenser-localslavelicenser-pools
Enterprise
list
licenser-groupslicenser-localslavelicenser-messageslicenser-poolslicenser-slaveslicenser-stackslicenses
remove licenser-poolslicenses
licenser-groups
licenser-localslave
licenser-messages
licenser-pools
1
licenser-slaves
licenser-stacks
licenses Splunk
./splunk add licenses /opt/splunk/etc/licenses/enterprise/enterprise.lic
./splunk list licenses
list (features) (group_idstack_id) (quota)(license_hash)
./splunk remove licenses BM+S8VetLnQEb1F+5Gwx9rR4M4Y91AkIE=781882C56833F36D
1 (Enterprise )
82
-
./splunk list licenser-pools
./splunk add licenser-pools pool01 -quota 10mb -slaves guid1,guid2 -stack_id enterprise
()
./splunk edit licenser-pools pool01 -description "Test" -quota 15mb -slaves guid3,guid4 -append_slaves true
Test 10 MB 15 MB guid3 guid4 (guid1 guid2 )
./splunk remove licenser-pools pool01
1
./splunk list licenser-slaves
./splunk list licenser-localslave
(splunkd URI self)
./splunk edit licenser-localslave -master_uri 'https://master:port'
list ()
./splunk list licenser-messages
83
-
Splunk Splunk
Splunk Enterprise
Splunk CLI
1
1.1.[] > [][] > []
2.2. [][]
3.3. [][]
[] [] > [ ][] > [ ] []
Splunk Splunk Enterprise Splunk Enterprise
1 30Enterprise 5 Free 3 Splunk Enterprise 6.5.0
30 5 Enterprise 3 Free Enterprise
Splunk Enterprise 6.5.0 Splunk
( _internal _introspection)
0 () 30
Splunk Splunk Splunk Enterprise 6.5.0 Splunk
84
-
_internal
Splunk Web []
[] > [][] > [] [][]
( 0 ) ( 0 ) ( 0 )1 30
72 72 ()
splunkd.log failedto transfer rows _internal
Splunk Enterprise
[]
0 Splunk 0 ()
Splunk Enterprise 6.5.0 Enterprise
150
AnswersAnswers
Splunk AnswersSplunk
85
-
1.1.
() [] > [][] > [] Splunk
2.2.
3.3.
[] > [][] > [] URL URL [][] Splunk
4.4.
5.5.
[] > [] > [][] > [] > [] [] (Splunk Enterprise Splunk Enterprise )
6.6.Splunk Enterprise /opt/splunk/etc/licenses/enterprise/()
7.7.Splunk Enterprise
86
-
Splunk Enterpr ise Splunk Enterpr ise
(LURV) Splunk Splunk 30
LURV 2 () 30
LURV []
[]> []> [][]> []> [] LURV ( 1 )
[] []
LURV [] 5 0
[] Splunk REST API
[] []
[] []
[] []
[][]
30 ()
[][]
[ 30 ] [ 30 ]
[ 30 ] 5
() 10 timechart 10
license_usage.logtype=RolloverSummary () 0 RolloverSummary
87
-
3
4 split-by
1 license_usage.log type=Usage ( 1 30 )
[] > [[] > [] > []] > []
10 Splunk
()
auto_summarize savedsearches.conf 10 10 3 cron auto_summarize.cron_schedule
() squash_threshold Splunk {} {} license_usage.log
split-by () split-by Splunk
server.conf [license] squash_threshold Splunk
LURV Splunk Web
per_host_thruput metrics.log
5 5
[ 5] [] 5
5 5 F F () 5 F
150
30 30
88
-
LURV LURV
LURV
(LURV) Splunk
LURV 80%
[][] []
| where '% used' > 80
[] > [][] > []
Splunk Enterprise
LURV 30 LURV 30
[ 30 ] $SPLUNK_HOME/var/log/splunk/license_usage.log
2
() $SPLUNK_HOME/var/log/splunk () [monitor://$SPLUNK_HOME/var/log/splunk]
0
89
-
App App App App
App (KV ) Splunk Apps
Splunk Apps KV
App UI Splunk
KV Splunk Apps App
KV KV
KV
App ( ) ( ) JSON () _key_key ID _key App _user_user ID
KV
KV KV KV
KV Splunk Enterprise 64 ()32 Splunk Enterprise KV Splunk Enterprise
KV 8191 server.conf [kvstore] Splunk Enterprise
KV server.conf.specKV
Splunk FIPS Splunk FIPS
KV FIPS server.conf.specKV
Splunk FIPS
FIPS (caCertFilesslKeysPath sslKeysPassword) KV splunkd.log splunk start
App KV App KV
Splunk Enterprise 6.2 KV
KV App $SPLUNK_HOME/etc/apps//default collections.conf transforms.conf external_type = kvstore
KV KV
KV
1.1. REST API
90
-
2.2. Splunk REST API create-read-update-delete (CRUD)
3.3.REST API
Splunk Enterpr ise KVSplunk Enterpr ise KV
2 KV Splunk Enterprise KV
KV Splunk Enterprise KV
KV KV
KV KV
KV KV
KV
1. KV 2. Splunk Enterprise bin 3. ./splunk show kvstore-status KV
KV 4. replicationStatus KV KV
KV KV
1 KV
1 KV ( -source sourceId ) KV KV
1. CLI splunk show shcluster-status
2. 3. splunk resync kvstore [-source sourceId]
4. 5. 6. splunk show kvstore-status
1. KV 2. splunk clean kvstore --local 3. KV 4. splunk show kvstore-status
KV KV App KV (oplog)
KV KV ( 1 GB)oplog KV KV 5 3 ( 2 1 ) oplog ()
KV KV
1. KV splunk show shcluster-status CLI
91
-
2. 3. $SPLUNK_HOME/bin 4. splunk show kvstore-status 5. oplog
1
()oplog KV oplog RAM Splunk KV 1 GB
1. CLI splunk show shcluster-status
2. 3. server.conf / [kvstore] / oplogSize ()
1000 (MB ) 4.
1. 2. Splunk Enterprise 3. splunk clean kvstore --local 4. KV
5. splunk show kvstore-status
KV KV
KV
KV KV
1. KV KV Splunk
2. server.conf [kvstore] dbPath
3. $SPLUNK_DB kvstore /var/lib/splunk/kvstore
KV
KV KV
::KV KV Splunk KV collections.conf KV collections.conf KV
KV kvstore 3
1. KV 2. 3. KV 4.
KV KV
KV 3
1. KV 2.
1.
2. 3. KV 4.
KV KV
Splunk Enterprise
1. () KV
92
-
2. KV 1 KV 3 3
KV KV replication_factor=1Splunk KV KV splunk clean kvstore -clusterSplunk KV replication_factor
KV KV
KV Splunk Enterprise
KV KV
REST API GET () KV KV (Splunk Enterprise )
KV CLI KV CLI
KV $SPLUNK_HOME/bin
./splunk show kvstore-status
Splunk CLI CLI
KV REST KV REST
REST API cURL GET ()
curl -k -u user:pass https://:/services/kvstore/status
REST API REST API
KV KV
status replicationStatus KV mongod.log splunkd.log
KV KV
ready ready ()
disabled server.conf KV KV
KV
Splunk KV
KV KV
93
-
KV KV
KV
KV
KV 1 mongod.log splunkd.log
KV
//
mongod.log splunkd.log
This member:
date : Tue Jul 21 16:42:24 2016
dateSec : 1466541744.143000
disabled : 0
guid : 6244DF36-D883-4D59-AHD3-5276FCB4BL91
oplogEndTimestamp : Tue Jul 21 16:41:12 2016
oplogEndTimestampSec : 1466541672.000000
oplogStartTimestamp : Tue Jul 21 16:34:55 2016
oplogStartTimestampSec : 1466541295.000000
port : 8191
replicaSet : splunkrs
replicationStatus : KV store captain
standalone : 0
status : ready
Enabled KV store members:
10.140.137.128:8191
guid : 6244DF36-D883-4D59-AHD3-5276FCB4BL91
hostAndPort : 10.140.137.128:8191
10.140.137.119:8191
guid : 8756FA39-F207-4870-BC5D-C57BABE0ED18
hostAndPort : 10.140.137.119:8191
10.140.136.112:8191
guid : D6190F30-C59A-423Q-AB48-80B0012317V5
hostAndPort : 10.140.136.112:8191
KV store members:
10.140.137.128:8191
configVersion : 1
electionDate : Tue Jul 21 16:42:02 2016
electionDateSec : 1466541722.000000
hostAndPort : 10.140.134.161:8191
optimeDate : Tue Jul 21 16:41:12 2016
optimeDateSec : 1466541672.000000
replicationStatus : KV store captain
uptime : 108
10.140.137.119:8191
configVersion : 1
hostAndPort : 10.140.134.159:8191
lastHeartbeat : Tue Jul 21 16:42:22 2016
lastHeartbeatRecv : Tue Jul 21 16:42:22 2016
lastHeartbeatRecvSec : 1466541742.490000
lastHeartbeatSec : 1466541742.937000
optimeDate : Tue Jul 21 16:41:12 2016
optimeDateSec : 1466541672.000000
pingMs : 0
replicationStatus : Non-captain KV store member
uptime : 107
10.140.136.112:8191
configVersion : -1
94
-
hostAndPort : 10.140.133.82:8191
lastHeartbeat : Tue Jul 21 16:42:22 2016
lastHeartbeatRecv : Tue Jul 21 16:42:00 2016
lastHeartbeatRecvSec : 1466541720.503000
lastHeartbeatSec : 1466541742.959000
optimeDate : ZERO_TIME
optimeDateSec : 0.000000
pingMs : 0
replicationStatus : Down
uptime : 0
KV KV
KV splunkd.log mongod.log Splunk Web Splunk
KV REST/services/messages cURL GET
curl -k -u user:pass https://:/services/messages
REST API
KV KV
2 KV Splunk Enterprise KV
KV Splunk Enterprise KV
95
-
Splunk Apps Splunk Apps App App
App App Splunk Enterprise
AppApp 1 Splunk Enterprise Splunk Apps
Splunk Enterprise App
App App dev.splunk.com
AppApp
AppApp Splunk Enterprise Splunk Enterprise App App Splunk Enterprise App Splunk Apps for Microsoft ExchangeSplunk Apps forEnterprise SecuritySplunk DB Connect App 1
Splunk Enterprise App Splunk Add-on for Checkpoint OPSECLEASplunk Add-on for BoxSplunk Add-on for McAfee
App App
Splunk App Splunk App App SplunkBase Splunk Splunk SplunkBase App SplunkBase App
Splunk SplunkBase Splunk SupportedSplunk Supported App App App SplunkBase Developer SupportedDeveloper Supported Splunk SplunkBase Community SupportedCommunity Supported App
Developer supported.png Community supported.png
App App Splunk Splunk App Splunk Splunk App SplunkBase Splunk Splunk SplunkBase Splunk SupportedSplunk Supported Splunk App
App App
Splunk Splunk App
96
-
Splunk App App Splunk App
App ( App )
Splunk Splunk /
App Splunk Web App Splunk Web
Splunk Splunk Web App App
App App
App
Splunk
1. Splunk Web [] > [][] > [] 2. [][] 3. 4. [ App][ App] App 5. []
App App
App App App
1. $SPLUNK_HOME/etc/apps/user-prefs/local/user-prefs.conf (*nix) %SPLUNK_HOME%\etc\apps\user-prefs\local\user-prefs.conf (Windows )
2. [general_default]default_namespace = search
3. Splunk Enterprise
User-prefs.conf.spec
App App
App App Splunk Web
App App
97
-
1. Splunk Web [] > [][] > [] 2. [][] 3. 4. [ App][ App] App 5. []
App App
App App (user-prefs.conf )
App
App App
SplunkBase App https://splunkbase.splunk.comhttps://splunkbase.splunk.com SplunkEnterprise App
Splunk Enterprise App
App + + App
AppApp App [App [App ]] App
Splunk Web SplunkBase Splunk Web HTTP_PROXY
Splunk Enterprise SplunkBase App
1.1.Splunkbase App
2.2.App
3.3. Splunk Enterprise
4.4.App $SPLUNK_HOME/etc/apps
5.5.tar -xvf (*nix) WinZip (Windows) App SplunkApps tar gzip .SPL
6.6.App Splunk Enterprise
7.7.App Splunk (Web UI )
App App 98
-
Splunk Splunk Apps
App Splunk Apps Splunk Splunk
Splunk Apps Splunk
Splunk App Splunk
() (/) ( Splunk Cloud)
2 Splunk Enterprise
1 Splunk Enterprise SplunkEnterprise SplunkEnterprise / SplunkEnterprise
App SplunkbaseSplunkbase App Splunk WebSplunk Web App
App Splunk Web App
App
Splunk Web App App
App AppApp Splunk Enterprise
App
ChefPuppetSaltWindows
Splunk Apps App Splunk Enterprise App
App App
Splunk
App
App App Splunk Enterprise App
99
-
apply shcluster-bundle App
() App App App Splunk Web CLI App
App App App
Splunk Cloud App Splunk Cloud App
Splunk Cloud App Splunk Splunk Cloud App
Splunk L ight Splunk L ight
Splunk Light Splunk Light
App App
App Splunk Splunk Splunk
App apps App
Splunk Web App () App $SPLUNK_HOME/etc/users///local App App App
(App ) App (/)
App App
Splunk Splunk
[] Splunk App App App Fflanda Fflanda Fflanda
App App
$SPLUNK_HOME/etc/users///local/
$SPLUNK_HOME/etc/apps//local/
App
Splunk Splunk
App App Splunk Web
100
-
App DCA (B.conf)
1.1. A $SPLUNK_HOME/etc/users/C/D/B.conf $SPLUNK_HOME/etc/apps/D/local/B.conf
2.2.App local.meta A export = system
*Nix App fflandarhallen
1.1.[rhallen] $SPLUNK_HOME/etc/users/fflanda/unix/local/eventtypes.conf $SPLUNK_HOME/etc/apps/unix/local/eventtypes.conf
2.2.
[eventtypes/rhallen]
export = system
$SPLUNK_HOME/etc/apps/unix/metadata/local.meta
App export = system local.meta
App [App][App]> [App ]> [App ]
(/)
()
App inputs.conf App $SPLUNK_HOME/etc/apps/search/local/inputs.conf
App App
Splunk App Splunk Splunk
App App
Splunk AppApp App Splunk
App App App App App Splunk Web App
Splunk Web App/Splunk Web App/
Splunk Web Splunk
101
-
App [] > [[] > []] [] > [][] > [] [] > [][] > [] [] > [] [] > []
App App
App []
[]
App App
App
App App
App App
CLI App CLI App
CLI Splunk App
./splunk install app -update 1 -auth :
Splunk App
CLI App CLI App
CLI Splunk App
./splunk disable app [app_name] -auth :
Splunk Free
App App
App Splunk
1.1.() App Splunk AppApp Splunk CLI clean CLI
2.2.App $SPLUNK_HOME/etc/apps/ CLI
./splunk remove app [App ] -auth :
3.3.App () $SPLUNK_HOME/splunk/etc/users/*/
4.4.Splunk
App App
Splunk Enterprise App [App] [App][App] App App[App ]
App App /App App
102
-
App App
App
[App] > [App ][App] > [App ] App [][] Splunk Enterprise App
Splunk Web App
App
App
App HTMLJavaScript CSS 1
App Splunk Splunk Apps
Splunk Enterprise SplunkBase App App [] > [App] > [][] > [App] > []
Splunk Web App app.conf $SPLUNK_HOME/etc/apps//local/app.conf
[package]
check_for_updates = 0
app.conf App
103
-
Splunk Enterprise
Splunk Enterprise adminadmin admin changemechangeme Splunk
Splunk Enterprise 3 Splunk Enterprise
Splunk Enterprise
LDAPLDAPSplunk LDAP LDAP
API APISplunk RADIUS PAM
Splunk Enterprise
Splunk Enterprise
admin () -- power () -- ()user () -- can_delete -- delete
Splunk Enterprise
Splunk Web [] > [][] > [] [] [] [] Splunk Enterprise email=realname=roles=
Splunk
Splunk 2 2 2 en_USen_GB
Splunk
de_DE
104
-
en_GB
en_US
fr_FR
it_IT
ja_JP
ko_KR
zh_CN
zh_TW
Splunk
Splunk US English MM/DD/YYYY:HH:MM:SS British English DD/MM/YYYY:HH:MM:SS
Splunk Splunk URL Splunk URL http://host:port/locale/... Splunk URL http://hostname:8000/en-US/account/login URL http://hostname:8000/en-GB/account/login URL
Splunk Invalid language Specified
Splunk Splunk
Splunk 3
splunkweb splunkd
splunkweb splunkd Splunk
splunkweb splunkd Splunk Web
1.1.Splunk Web [][]
2.2.[] [][]
3.3.[]
4.4.[][]
5.5.[]
splunkweb splunkd 60Splunk Web
splunkweb splunkd web.conf (tools.sessions.timeout ) server.conf (sessionTimeout ) SplunkWeb (splunkweb) Splunk (splunkd) 2 web.conf tools.sessions.timeout 90() server.conf sessionTimeout 1h(1 60 ) 60
splunkweb/splunkd web.conf ui_inactivity_timeout Splunk 60 ui_inactivity_timeout 1
splunkweb/splunkd ui_inactivity_timeout splunkweb splunkd
105
-
splunkweb : 15m
splunkd : 20m
(ui_inactivity_timeout) 10m
25 (15m+10m) 25
Splunk Web Splunk
106
-
Splunk Enterprise Splunk Enterprise Splunkd Proxy Splunkd Proxy
HTTP/S splunkd HTTP/S splunkd splunkd
(splunkd) HTTP
Splunk Splunk Splunk
Splunk Web SplunkBase Splunk REST API
Splunkd Splunkd
Splunkd HTTP
1.HTTP Splunk splunkd Splunk Enterprise
Apache 2.4
Apache 2.2
Squid 3.5
2.server.conf REST splunkd
TLS Proxying SSL
Spl