管理マニュアル Splunk Enterprise...

Splunk Splunk Enterprise 7.0.0 Enterprise 7.0.0

2017/09/15 429

Copyright (c) 2017 Splunk Inc. All Rights Reserved

5555789

1011

13131314151616

181818181920

22222222232429303032343737

3939

3940424748

5050505254545859616172

Table of Content sTable of Content sSplunk Enterpr ise Splunk Enterpr ise

Splunk Splunk Windows Splunk Free *nix Windows Splunk Splunk

Windows Splunk Enterpr ise Windows Splunk Enterpr ise Windows Splunk Splunk Splunk Splunk

Splunk Web Splunk Enterpr ise Splunk Web Splunk Enterpr ise Splunk Web Splunk Web Splunk Enterprise Splunk Web

Splunk Enterpr ise Splunk Enterpr ise props.conf Splunk Enterprise Splunk

(CLI) Splunk (CLI) SplunkEnterpr ise Enterpr ise

CLI CLI CLI CLI Splunk Enterprise CLI

Splunk Enterpr ise Splunk Enterpr ise Splunk Enterprise Splunk Splunk IP Splunk IPv6

7474747476787879798181

8484848485

87878789

909090919293

96969696979898

100101102

104104104104105

107107107107109110

110

112112112

113113113121126

Splunk Splunk Splunk Enterprise Splunk CLI

Splunk Splunk

Splunk Enterprise

App App App KV KV KV

Splunk Apps Splunk Apps App AppApp Splunk Web App App App App App

Splunk Enterpr ise Splunk Enterpr ise Splunkd Proxy Splunkd HTTP splunkd HTTP Splunkd HTTP Splunk Web

Splunk AMI Splunk AMI Splunk Enterprise AMI

alert_actions.confapp.confaudit.conf

127144154155157162165166167168168172179180181183185216256257305306307310313326327328350351357372374376426434435438439440442443445448450462464467469470471474491496

authentication.confauthorize.confchecklist.confcollections.confcommands.confdatamodels.confdatatypesbnf.confdefault.meta.confdefault-mode.confdeployment.confdeploymentclient.confdistsearch.confeventdiscoverer.confevent_renderers.confeventtypes.conffields.confindexes.confinputs.confinstance.cfg.conflimits.confliterals.confmacros.confmessages.confmultikv.confoutputs.confpasswords.confprocmon-filters.confprops.confpubsub.confrestmap.confsavedsearches.confsearchbnf.confsegmenters.confserver.confserverclass.confserverclass.seed.xml.confsetup.xml.confsource-classifier.confsourcetypes.confsplunk-launch.conftags.conftelemetry.conftimes.conftransactiontypes.conftransforms.confui-prefs.confui-tour.confuser-prefs.confuser-seed.confviewstates.confvisualizations.confweb.confwmi.confworkflow_actions.conf

Splunk Enterprise Splunk Enterprise

Splunk Windows *nix

Windows *nix OS

/Splunk

Splunk Splunk

Splunk Splunk

Splunk Splunk IP Splunk

Splunk Web Splunk Web Splunk Splunk

Splunk Web Splunk Splunk Web

Splunk Splunk

/

Splunk Splunk (CLI) (CLI) Splunk Splunk

Splunk CLI

Windows Windows Splunk Splunk

Splunk Windows Windows

Splunk Splunk

Splunk Splunk

Splunk Apps Splunk Apps Splunk Apps Splunk Splunk Apps

Splunk Enterprise

Splunk Splunk

Splunk Splunk ()

Splunk Enterpr ise Splunk Enterpr ise

Installation ManualSplunk Enterprise

5

Splunk Windows Splunk Enterprise UnixLinux MacOS SplunkEnterprise

Splunk Enterprise

Splunk

Windows Windows

Splunk Splunk

Splunk

Splunk

Splunk

6

Splunk


Splunk Splunk Enterprise

SSL

Splunk

Splunk (SSO)

Splunk LDAP LDAP

Splunk Splunk

Splunk

Splunk

Splunk Splunk

Splunk Splunk

Splunk Splunk

REST API REST API

CLI Splunk Enterprise CLI

Splunk

Splunk Splunk

Splunk Enterprise 1 Splunk Enterprise

Splunk Enterprise Splunk Splunk Enterprise

Splunk

Splunk Splunk

Splunk

7

Splunk Splunk

Splunk

Splunk Splunk

Splunk

Splunk Splunk

SSL SSL

SplunkSplunkEnterprise Enterprise

Splunk Enterprise

Splunk Splunk

Splunk

Splunk

Splunk Splunk


: Splunk Splunk Splunk Splunk : Splunk Splunk Splunk Web App Splunk Web App : XML App Splunk REST API REST API REST API

Splunk Splunk

Splunk EnterpriseSplunk EnterpriseSplunk Enterprise

App Splunk Splunk Splunk

P DF P DF

PDF [Download the AdminDownload the AdminManual as PDFManual as PDF ] PDF

Windows Windows

Splunk Windows Windows Windows App

(Windows ) (Windows )

8

Splunk

Windows *nix Windows *nix Windows *nix Splunk

Windows Splunk Windows Splunk

Windows Splunk Windows Splunk Windows Splunk

Splunk Splunk Windows Splunk

Splunk Splunk Splunk Windows Splunk Splunk

Splunk Windows

Windows Splunk ()Splunk () Windows () ()

()Splunk (CLI) () () () () () ()

Splunk

Splunk

Splunk Splunk WikiSplunk IRC (EFNet #splunk)(IRC )

Splunk

Enterprise

Splunk Free Splunk Free

Splunk Free Splunk 500 MB/

500 MB 1 () 1 500 MB 10 TB Splunk Enterprise

500 MB/Enterprise Splunk

Splunk Free 30 500 MB/ 4Splunk Free 30 3

Splunk F ree Splunk F ree

Splunk Free IT (500 MB/) Splunk Free Splunk Free 30 3


Splunk Free Splunk Enterprise

9

() TCP/HTTP Splunk Splunk () Splunk Free (Splunk Enterprise ) Splunk Free /

Splunk Free / 1 index=*Splunk Free

Enterpr ise F ree Enterpr ise F ree

Splunk Enterprise Enterprise Free

Free Free

Splunk Enterprise trial Splunk Free

() Splunk Free

Splunk Web App App

Splunk Splunk outputs.conf TCP HTTP

Enterprise Splunk Web Splunk Free


Splunk Enterprise Free Free

1.1. Splunk Web [] > [][] > []

2.2. [][]

3.3.[Free ][Free ] [][]

4.4.

* nix Windows Splunk * nix Windows Splunk

*nix Windows Splunk OS OS Splunk

10

*nix *nix (/) Windows (\)

*nix

/opt/splunk/bin/splunkd

Windows

C:\Program Files\Splunk\bin\splunkd.exe

1 *nix ($)

# SPLUNK_HOME=/opt/splunk; export $SPLUNK_HOME

Windows (%) 1 2

> set SPLUNK_HOME="C:\Program Files\Splunk"

> echo %SPLUNK_HOME%

C:\Program Files\Splunk

>

Windows %SPLUNK_HOME% 2

%SPLUNK_HOME%\etc splunk-launch.conf

[] [] [] [] [] []

Splunk Enterprise ASCII/UTF-8 Windows UTF-8 Windows

Splunk Splunk

Splunk Splunk

Splunk Web Splunk (CLI) Splunk Splunk REST API App

Splunk Web Splunk Web

Splunk Web Splunk Web 8000

Splunk Splunk Web URL http://localhost:8000Splunk Splunk Web URL http://:8000 Splunk

Splunk Web [][] Splunk Splunk Web Splunk Web Splunk Web

Splunk .conf /etc/system Splunk ( $SPLUNK_HOME )

11

Splunk CLI Splunk CLI

CLI CLI Splunk help CLI

./splunk help

CLI CLI CLI Windows *nix Windows Splunk

App App

App App App App

Splunk REST API App

[Splunk ] Splunk Apps

Splunk / Splunk

Splunk

12

Windows Splunk Enterprise Windows Splunk Enterprise Windows Splunk Windows Splunk


Windows Splunk Splunk Splunk

Windows Splunk (System Center Tivoli/BigFix ) Splunk Splunk Splunk Splunk App

Windows Splunk

Splunk WMI (Windows Management Instrumentation)

Windows Splunk

Splunk Splunk / Splunk Splunk ()

Splunk Splunk Splunk

Splunk Splunk ()

LAN/WAN Splunk

Active Directory (AD) Active Directory (AD) (DC) AD (ISTG) Windows Server 2008 R2 (RODC) Splunk Active Directory

Splunk (Microsoft ExchangeSQL ServerActive Directory ) Splunk Splunk SplunkEnterprise

13

Splunk Splunk



Splunk

Splunk LAN (VLAN)

Active Directory Active Directory Active Directory Splunk

RODC DC AD DC ISTG 2 () DNS

Active Directory Flexible Single Master Operation (FSMO)

Splunk Splunk Windows Splunk

1 Splunk Splunk Splunk Enterprise Active Directory SplunkWMI Windows Server 2008/2008 R2 Core Splunk Splunk Web GUI WAN SplunkSplunk

Splunk Splunk


Splunk

1 Splunk 1 Splunk Splunk 1 Splunk / Splunk Splunk

Splunk Splunk Splunk Splunk 10,000 RPM Splunk RAID 1+0 (RAID 10) Windows RAID

Splunk Splunk

14

( Splunk )Splunk Splunk

Splunk I/O

OS OS WindowsOS (%WINDIR%) Splunk Splunk

Splunk /Splunk

Splunk /Splunk /Splunk // (DFS) (NFS)

Splunk Splunk Splunk 20% Splunk 5000 ( 5 )

Splunk Splunk

Splunk Windows

Splunk Windows Windows Splunk Splunk OS Splunk Splunk Splunk Splunk Enterprise Windows Splunk

Windows Windows

Splunk Windows Splunk Windows Splunk

Windows Splunk Splunk Splunk () Windows

Splunk

Windows

Splunk Windows

Windows Splunk Splunk Splunk Web

Splunk

Splunk /

Splunk

15

() () Splunk Splunk RAM CPU Splunk Splunk WMI Splunk Splunk /Office Active Directory

Splunk Splunk

Splunk /

Splunk

Splunk Windows Splunk Enterprise Splunk Enterprise

1. Windows Windows

2. Splunk /

3. LAUNCHSPLUNK=0

4.

5. PowerShell 6. 7. bin 8. ./splunk clone-prep-clear-config 9. PowerShell

10. splunkd []

11. Windows (WSIM) Microsoft (SID) (Ghost Walker NTSID ) SYSPREP WSIM

12.

Splunk Splunk

Splunk Windows Splunk Splunk

Splunk

1.1. Windows Windows

2.2.Splunk /

3.3.Splunk

GUI

4.4.Splunk

16

5.5. %SPLUNK_HOME%\bin .\splunk stop Splunk .\splunk stop

6.6..\splunk clean eventdata

7.7.

8.8. [] splunkd splunkweb []

9.9.SYSPREP (Windows XP Windows Server 2003/2003 R2 )Windows (WSIM) (Windows VistaWindows 7 Windows Server 2008/2008 R2 )

Microsoft (SID) (Ghost Walker NTSID ) SYSPREP WSIM

10.10.

17

Splunk Web Splunk Enterprise Splunk Web Splunk Enterprise Splunk Web Splunk Web

Splunk Splunk WebSplunk Web Splunk Web

Splunk Web Splunk Web Splunk

Splunk Web

http://mysplunkhost:

host port

Enterprise Splunk - - adminadmin - - changemechangeme

Splunk

Splunk 4.1.4 $SPLUNK_HOME/etc/local/server.conf allowRemoteLogin Always Splunk Free SplunkEnterprise (requireSetPassword )


Splunk WebSplunk Web Splunk Splunk Web

() LDAP Splunk

OS

[Splunk ] [Splunk ]

Splunk Web Splunk [][]

[] > [][] > []

[][][] [][] [][][][][][] App

[] > [] > [][] > [] > []

LDAP

Splunk

App App

18

AppApp [App][App]

App App

[ App ][ App ] App [App ][App ] App

[] App

App Splunk Web App

[] > [][] > []

[][] Splunk Splunk Web Splunk [][]Splunk [][]Splunk


Splunk Enterprise

[] > [][] > []

Splunk Enterprise

- Splunk

- splunkd Splunk Web

-

App

[] App

Splunk App *nix Windows App App (*nix Windows App osos )Splunk

19

App Splunk


Splunk Web 2

Splunk Enterprise

Splunk Web

1. [] > [][] > [] 2. [][] [][]

3. 4. [] [][]


Splunk Web

admin_all_objects admin_all_objects

messages.conf messages.conf

messages.conf messages.conf messages.conf messages.conf

$SPLUNK_HOME/etc/system/default/messages.conf *nix %SPLUNK_HOME%\etc\system\default\messages.conf Windows

messages.conf artifacts in the dispatch directoryartifacts

[DISPATCHCOMM:TOO_MANY_JOB_DIRS__LU_LU]

message = The number of search artifacts in the dispatch directory is higher than recommended (count=%lu,

warning threshold=%lu) and could have an impact on search performance.

action = Remove excess search artifacts using the "splunk clean-dispatch" CLI command, and review artifact

retention policies in limits.conf and savedsearches.conf. You can also raise this warning threshold in limits.conf /

dispatch_dir_warning_size.

severity = warn

capabilities = admin_all_objects

help = message.dispatch.artifacts

DISPATCHCOMM:TOO_MANY_JOB_DIRS__LU_LU

20

messages.conf messages.conf

messages.conf App App

messages.conf capabilities


capabilities = admin_all_objects, can_delete

Splunk Enterprise

messages.conf.spec

messages.conf roles


roles = admin

Splunk Enterprise

21


Splunk Enterprise .conf

$SPLUNK_HOME/etc/system/default/ Splunk


Splunk Web Splunk () $SPLUNK_HOME/etc/... $SPLUNK_HOME/etc/system/local

Splunk Web

1.

2. indexes.conf $SPLUNK_HOME/etc/system/local

3.indexes.conf

4. $SPLUNK_HOME/etc/system/default

Splunk Web CLI Splunk Web

Splunk Web Splunk Enterprise

default Default default Default

.spec .example $SPLUNK_HOME/etc/system/README

Splunk Enterprise

Splunk defaultlocal app Splunk App

Splunk

22

.spec .spec .example $SPLUNK_HOME/etc/system/README

/default - /default

-- duckfez2010

default default $SPLUNK_HOME/etc/system/default

default Default Splunk Enterprise default $SPLUNK_HOME/etc/system/local $SPLUNK_HOME/etc/apps//local

default default default

default Splunk Enterprise

$SPLUNK_HOME/etc/system/local

$SPLUNK_HOME/etc/system/local $SPLUNK_HOME/etc

$SPLUNK_HOME/etc/system/local

App

$SPLUNK_HOME/etc/slave-apps/[_cluster|]/[local|default]

$SPLUNK_HOME/etc/slave-apps _cluster App indexes.conf

$SPLUNK_HOME/etc/apps//[local|default]

App App /local Splunk App $SPLUNK_HOME/etc/apps/search/local/ App App /local ()

$SPLUNK_HOME/etc/users

$SPLUNK_HOME/etc/system/README

.spec .example 2 (inputs.conf.spec inputs.conf.example).spec .example

1

23

inputs.conf [SSL] ()

[SSL]

serverCert =

password =

[stanza1_header]

=

# comment

=

...

[stanza2_header]

=

=

...

sourcetype = my_app SOURCETYPE = my_app

outputs.conf

[tcpout]

indexAndForward=true

compressed=true

[tcpout:my_indexersA]

compressed=false

server=mysplunk_indexer1:9997, mysplunk_indexer2:9997

[tcpout:my_indexersB]

server=mysplunk_indexer3:9997, mysplunk_indexer4:9997

2

TCP [tcpout]2 [tcpout:]

[tcpout:my_indexersA] compressed [tcpout] my_indexersA

outputs.conf outputs.conf

Splunk Splunk AppApp

Splunk

Splunk

24

()

App App AB

props.conf props.conf

App App

2

App App App App

App App

indexes.conf

Splunk Splunk

(App/)

1.1. local -- 2.2.App local 3.3.App default 4.4. default --

inputs.conf Splunk system/local app system/local system app system/default

(slave-app) App

1.1. App local ()() -- 2.2. local 3.3.App local 4.4. App default ()()5.5.App default 6.6. default --

( App local )

25

App App

App/ userappsystem

1.1. user -- 2.2. App app (local default)3.3. App app (local default) -- 4.4.system (local default) --

savedsearches.conf userapp system 3 Splunk app system user ()

App App

App AB App App (AZZa)

$SPLUNK_HOME/etc/apps/myapp1




...

$SPLUNK_HOME/etc/apps/myappApple

$SPLUNK_HOME/etc/apps/myappBanana

$SPLUNK_HOME/etc/apps/myappZabaglione

...

$SPLUNK_HOME/etc/apps/myappapple

$SPLUNK_HOME/etc/apps/myappbanana

$SPLUNK_HOME/etc/apps/myappzabaglione

...

Splunk UTF-8 ASCII

10, 9, 70, 100 10, 100, 70, 9

App/App/ App App App

$SPLUNK_HOME/etc/system/local/*

$SPLUNK_HOME/etc/apps/A/local/* ... $SPLUNK_HOME/etc/apps/z/local/*

$SPLUNK_HOME/etc/apps/A/default/* ... $SPLUNK_HOME/etc/apps/z/default/*

$SPLUNK_HOME/etc/system/default/*

- -

$SPLUNK_HOME/etc/slave-apps/A/local/* ... $SPLUNK_HOME/etc/slave-apps/z/local/*

26


$SPLUNK_HOME/etc/apps/A/local/* ... $SPLUNK_HOME/etc/apps/z/local/*

$SPLUNK_HOME/etc/slave-apps/A/default/* ... $SPLUNK_HOME/etc/slave-apps/z/default/*

$SPLUNK_HOME/etc/apps/A/default/* ... $SPLUNK_HOME/etc/apps/z/default/*


slave-apps/[local|default] _cluster App (anApp) App (AnApp) ("_")

App/App/

$SPLUNK_HOME/etc/users/*

$SPLUNK_HOME/etc/apps/Current_running_app/local/*

$SPLUNK_HOME/etc/apps/Current_running_app/default/*

$SPLUNK_HOME/etc/apps/A/local/*, $SPLUNK_HOME/etc/apps/A/default/*, ... $SPLUNK_HOME/etc/apps/z/local/*,

$SPLUNK_HOME/etc/apps/z/default/* (but see note below)



App/ App App App local default App C Splunk $SPLUNK_HOME/etc/apps/C/local/* $SPLUNK_HOME/etc/apps/C/default/* App local default App App default.meta Splunk Apps

/etc/users/

props.conf props.conf Splunk App/Splunk props.conf () (App/)

$SPLUNK_HOME/etc/system/local/props.conf

[source::/opt/Locke/Logs/error*]

sourcetype = fatal-error

$SPLUNK_HOME/etc/apps/t2rss/local/props.conf


sourcetype = t2rss-error

SHOULD_LINEMERGE = True

BREAK_ONLY_BEFORE_DATE = True

t2rss sourcetype /system/local sourcetype fatal-error/apps/t2rss/local t2rss-error

sourcetype Splunk system/local sourcetype fatal-error


sourcetype = fatal-error

27

SHOULD_LINEMERGE = True

BREAK_ONLY_BEFORE_DATE = True

Splunk ( App/) App/

props.conf transforms.conf Splunk App/

admon.conf

authentication.conf

authorize.conf

crawl.conf

deploymentclient.conf

distsearch.conf

indexes.conf

inputs.conf

outputs.conf

pdf_server.conf

procmonfilters.conf

props.conf -- global and app/user context

pubsub.conf

regmonfilters.conf

report_server.conf

restmap.conf

searchbnf.conf

segmenters.conf

server.conf

serverclass.conf

serverclass.seed.xml.conf

source-classifier.conf

sourcetypes.conf

sysmon.conf

tenants.conf

transforms.conf -- global and app/user context

user-seed.conf -- special case: Must be located in /system/default

web.conf

wmi.conf

App/App/

alert_actions.conf

app.conf

audit.conf

commands.conf

eventdiscoverer.conf

event_renderers.conf

eventtypes.conf

fields.conf

limits.conf

literals.conf

macros.conf

multikv.conf

props.conf -- global and app/user context

savedsearches.conf

tags.conf

times.conf

transactiontypes.conf

transforms.conf -- global and app/user context

user-prefs.conf

workflow_actions.conf

Splunk Splunk

28

btool


props.conf

ASCII props.conf

[source::.../bar/baz]

attr = val1

[source::.../bar/*]

attr = val2

ASCII 2 attr


props.conf ASCII priority /

source::az

[source::...a...]

sourcetype = a

[source::...z...]

sourcetype = z

source::...a...source::...z...sourcetype a

ASCII priority

[source::...a...]

sourcetype = a

priority = 5

[source::...z...]

sourcetype = z

priority = 10

2 sourcetype z

() () priority

0 100

priority

priority sourcetype host priority spec source priority host sourcetype

props.conf () 1 (hostsourcesourcetype)

29

sourcetype

props.conf sourcetype = xml_file mylogfile.xml source

[source::/var/log/mylogfile.xml]

CHECK_METHOD = endpoint_md5

local app

1. local app $SPLUNK_HOME/etc/system/local

2. Splunk

3.

forwardedindex.0.whitelist =

#

# This stanza forwards some log files.

[monitor:///var/log]

[monitor:///var/log] # This is a really bad place to put your comment.

a_setting = 5 #5 is the best number

a_setting 5 #5 is the best number

Windows UTF -8 Windows UTF -8

Splunk ASCII/UTF-8 Windows UTF-8

Splunk Enterpr ise Splunk Enterpr ise 30


Splunk Web Splunk Web Splunk (splunkd)

App

splunkweb splunkweb

Splunk Web SSL splunkweb

splunkd splunkd

splunkd

Splunk Web CLI

App

LDAP (Splunk Web )Splunk Enterprise

Web () ()indexes.conf Splunk Enterprise OS (Splunk Enterprise OS )App App


macros.conf

props.conf

transforms.conf

31

savedsearches.conf ()

http://:8000/en-GB/debug/refresh

props transforms

props.conf transforms.conf props.conf transforms.conf props.conf transforms.conf .conf

transforms.conf

http://:8000/en-us/debug/refresh?entity=admin/transforms-lookup

for new lookup file definitions that reside within transforms.conf

http://:8000/en-us/debug/refresh?entity=admin/transforms-extract

for new field transforms/extractions that reside within transforms.conf

authentication.conf Splunk Web > > > >

1

Splunk Enterprise ()

props.conf search.conf search.conf search.conf

1.props.conf transforms.conf Splunk props.conf transforms.conf

2.( App )

3.

savedsearches.conf REST REST

spec example spec example

$SPLUNK_HOME/etc/system/default/

32

alert_actions.conf

app.conf App

audit.conf /

authentication.conf Splunk LDAP LDAP

authorize.conf

checklist.conf

collections.conf KV

commands.conf

datamodels.conf /

default.meta.conf Splunk Apps

deploymentclient.conf

distsearch.conf

event_renderers.conf

eventtypes.conf

fields.conf

indexes.conf

inputs.conf

instance.cfg.conf Splunk

limits.conf ()

literals.conf Splunk Web

macros.conf []

multikv.conf (psnetstatls)

outputs.conf

passwords.conf App

procmon-filters.conf Windows

props.conf

pubsub.conf

restmap.conf REST

savedsearches.conf

searchbnf.conf

segmenters.conf

server.conf Splunk (splunkd Splunk Web ) SSL

serverclass.conf

serverclass.seed.xml.conf

source-classifier.conf ()

sourcetypes.conf

tags.conf

telemetry.conf App

times.conf App

33

transactiontypes.conf

transforms.conf props.conf

ui-prefs.conf UI

user-seed.conf

visualizations.conf App

viewstates.conf UI ()

web.conf Splunk Web HTTPS

wmi.conf Windows Management Instrumentation (WMI)

workflow_actions.conf

raw 4

Splunk

34

Splunk


1 Splunk Enterprise

1 1 ()

/ ( INDEXED_EXTRACTIONS )

()

35

Splunk

inputs.conf inputs.conf

(LINE_BREAKER TRUNCATE )

inputs.confprops.conf

CHARSET

NO_BINARY_CHECK

CHECK_METHOD

CHECK_FOR_HEADER

PREFIX_SOURCETYPE

sourcetypewmi.confregmon-filters.conf

props.confINDEXED_EXTRACTIONS

props.confLINE_BREAKERTRUNCATESHOULD_LINEMERGEBREAK_ONLY_BEFORE_DATE TIME_PREFIXTIME_FORMATDATETIME_CONFIG (datetime.xml)TZ TRANSFORMS SEDCMD

MORE_THAN LESS_THANtransforms.conf

props.conf TRANSFORMS LOOKAHEADDEST_KEYWRITE_METADEFAULT_VALUE REPEAT_MATCH

props.confSEGMENTATION

indexes.confsegmenters.conf

props.confEXTRACT

REPORT

LOOKUP

KV_MODE

FIELDALIAS

EVAL

rename

transforms.confprops.conf REPORT filenameexternal_cmd FIELDS DELIMSMV_ADD

bin /savedsearches.confeventtypes.conftags.confcommands.conf

36

commands.confalert_actions.confmacros.conffields.conftransactiontypes.confmultikv.conf

Splunk

props.confCHECK_FOR_HEADERLEARN_MODELmaxDist

Splunk $SPLUNK_HOME/etc/ Splunk

Splunk Splunk

Splunk Splunk

Splunk

Splunk

.conf Splunk Enterprise

./splunk validate files 2

-manifest manifest manifest Splunk Enterprise manifest -type conf .conf

2

splunkd conf

splunkd Splunk Enterprise ( conf ) splunkd.log Splunk Web limits.conf

limits.conf 2

37

Splunk Web

limits.conf.spec

I/O Splunk I/O

manifest


1. Splunk Web 2. Splunk & & & app 3. App 4.

Splunk $SPLUNK_HOME/bin $SPLUNK_HOME/lib Windows %SPLUNK_HOME%\Python2.7\ Splunk AIX Splunk Splunk Splunk Splunk 2 1 $SPLUNK_HOME Splunk splunkd etc/splunk.version Splunk

server/status/installed-file-integrity REST API server/status/installed-file-integrity

limits.conf Splunk Enterprise REST

[Splunk Enterprise ]

38

(CLI) (CLI) Splunk Enterprise Splunk Enterprise CLI CLI

Splunk (CLI) CLI /

CLI CLI

Splunk CLI $SPLUNK_HOME/bin (Windows %SPLUNK_HOME%\bin)

Splunk Web Sett ings > Server sett ings > General sett ingsSett ings > Server sett ings > General sett ings Splunk

Splunk CLI

PowerShell Splunk Splunk

CLI CLI

Splunk CLI Splunk CLI search dispatch CLI Splunk

CLI

UNIXUNIX WindowsWindows

./splunk help ./splunk help

CLI CLI CLI

* nix CLI * nix CLI

root Splunk $SPLUNK_HOME/bin CLI

Splunk Enterprise Linux/BSD/Solaris

# export SPLUNK_HOME=/opt/splunk

# export PATH=$SPLUNK_HOME/bin:$PATH

Splunk Enterprise Mac

# export SPLUNK_HOME=/Applications/Splunk

# export PATH=$SPLUNK_HOME/bin:$PATH

CLI

./splunk

CLI $SPLUNK_HOME :

*nix source /opt/splunk/bin/setSplunkEnv

Windows splunk.exe envvars > setSplunkEnv.bat & setSplunkEnv.bat

Mac OS X /Mac OS X /

Mac OS X /sudosudo su - root CLI sudo (rootsudo )

Windows CLI Windows CLI 39

Windows CLI PowerShell

1. PowerShell 2. Splunk Enterprise bin 3. splunk Splunk

C:\Program Files\Splunk\bin> splunk status

splunkd is running.

splunk helpers are running.

CLI CLI CLI


Windows CLI CLI Windows

Splunk Splunk

1. PowerShell 2. PowerShell

PowerShellPowerShell

$splunk_home=C:\Program Files\Splunk set SPLUNK_HOME="C:\Program Files\Splunk"

3. Splunk

PowerShellPowerShell

$splunk_home\bin\splunk status%SPLUNK_HOME%\bin\splunk add forward-server

192.168.1.100:9997 -auth admin:changeme

Splunk Splunk

MS TechNet

AnswersAnswers

Splunk AnswersSplunk CLI

CLI CLI

Splunk CLI CLI CLI

CLI CLI

CLI Splunk CLI

help

./splunk help

CLI

/App authapp uri

./splunk [command] [object] [-parameter | ]... [-app] [-owner] [-uri] [-auth]

40

app App App

auth

owner /

uri () Splunk

appapp

CLI app create app enable app App CLI

./splunk command object [-parameter value]... -app appname

CLI App App

./splunk search "eventype=error | stats count by source" -deatach f -preview t -app unix

authauth

CLI -authauth

auth CLI

./splunk command object [-parameter value]... -auth username:password

uriuri

Splunk -uri

./splunk command object [-parameter value]... -uri specified-server

Splunk

[http|https]://name_of_server:management_port

name_of_server IP IP IPv4 IPv6 (specified-server 127.0.0.1:80 "[2001:db8::1]:80")splunkd IPv4 IPv6 Splunk IPv6

splunkserver 8089

./splunk search "host=fflanda error 404 *.gif" -auth admin -uri https://splunkserver:8089

CLI

Splunk CLI

CLI CLI

CLI / CLI

./splunk help commands

CLI

CLI CLI

41

CLI

./splunk help clustering

CLI


CLI Splunk (splunkd) Web (splunkweb)

./splunk help controls

Splunk

CLI CLI

Splunk Splunk Splunk (main) CLI

./splunk help datastore

./splunk help index

Splunk

CLI CLI

CLI

./splunk help distributed

/ CLI / CLI

Splunk 1 CLI

./splunk help forwarding

CLI CLI

CLI Splunk

./splunk help search

./splunk help rtsearch

search-commandssearch-fields search-modifiers

./splunk help search-commands

./splunk help search-fields

./splunk help search-modifiers

Splunk CLI

CLI CLI CLI CLI

CLI CLI

Splunk CLI

42

CLI CLI CLI CLI CLI

Splunk () Splunk Splunk


CLI

./splunk [] [[-] ]...

add execforward-serverindexlicenser-poolslicensesmastermonitoroneshotsaved-searchsearch-servertcpudpuser

1.1. /var/log

./splunk add monitor /var/log/

2.2.

./splunk add cluster-master

https://127.0.0.1:8089 -secret

testsecret -multisite false'

anonymize 1.1./tmp/messages IP

./splunk anonymize file -source

/tmp/messages

2.2. name-terms Mynames.txt

./splunk anonymize file -source

/tmp/messages -name_terms

$SPLUNK_HOME/bin/Mynames.txt

apply cluster-bundle 1.1.

./splunk apply cluster-bundle

2.2.Skip-validation

./splunk apply cluster-bundle --

skip-validation

clean alleventdataglobaldatainputdatauserdatakvstore 1.1.Splunk eventdata raw

./splunk clean eventdata

43

2.2. globaldata

./splunk clean globaldata

cmd btoolclassifylocktestlocktoolparsetestpcregextestregextestsearchtestsigntoolwalklex

1.1.splunk btool inputs list splunkenvvars

./splunk cmd btool inputs list

2.2.

./splunk cmd /bin/ls

create app 1.1.myNewApp

./splunk create app myNewApp -

template sample_app

createssl

diag

disable appboot-startdeploy-clientdeploy-serverdist-searchindexlistenlocal-indexmaintenance-modeshcluster-maintenance-modeperfmonwebserverweb-sslwmi

1.1.

'./splunk disable maintenance-

mode'

2.2. logs1

./splunk disable eventlog logs1

display appboot-startdeploy-clientdeploy-serverdist-searchjobslistenlocal-index

1.1.App /

./splunk display app

2.2.unix App

./splunk display app unix

edit appcluster-configshcluster-configexecindexlicenser-localslavelicenser-groupsmonitorsaved-searchsearch-servertcpudpuser

1.1.

./splunk edit cluster-config -

mode slave -site site2

2.2./var/log

./splunk edit monitor /var/log -

follow-only true

enable appboot-startdeploy-clientdeploy-serverdist-searchindexlistenlocal-indexmaintenance-modeshcluster-maintenance-modeperfmonwebserverweb-sslwmi

1.1.

'./splunk enable maintenance-

44

mode'

2.2.col1

./splunk enable perfmon col1

export eventdatauser data 1.1.Splunk /tmp/apache_raw_404_logs

./splunk export eventdata -index

my_apache_data -dir

/tmp/apache_raw_404_logs -host

localhost -terms "404 html"

fsck repairscanclear-bloomfilter

import userdata 1.1. /tmp/export.dat

./splunk import userdata -dir

/tmp/export.dat

install app 1.1. foo.tar Splunk App

./splunk install app foo.tar

2.2. foo.tgz Splunk App

./splunk install app foo.tgz

list cluster-bucketscluster-configcluster-generationcluster-peersdeploy-clientsexcess-bucketsexecforward-serverindexinputstatuslicenser-groupslicenser-localslavelicenser-messageslicenser-poolslicenser-slaveslicenser-stackslicensesjobsmaster-infomonitorpeer-infopeer-bucketsperfmonsaved-searchsearch-servertcpudpuserwmi

1.1. splunkd

./splunk list monitor

2.2.

./splunk list licenses

loginlogout

1.1.enforce-counts

./splunk offline

2.2.--enforce-counts

./splunk offline --enforce-

counts

45

package app 1.1. App URI

./splunk package app stubby

rebuild

refresh deploy-clients

reload adauthdeploy-serverindexlistenmonitorregistryscripttcpudpperfmonwmi

1.1.

./splunk reload deploy-server

2.2.my_serverclass

./splunk reload deploy-server -

class my_serverclass

remove appcluster-peersexcess-bucketsexecforward-serverindexjobslicenser-poolslicensesmonitorsaved-searchsearch-servertcpudpuser

1.1.testsecret secret/pass4SymmKey

'./splunk remove cluster-master

https://127.0.0.1:8089 -secret

testsecret'

2.2.Unix App

./splunk remove app unix

rolling-restart

cluster-peersshcluster-members

rtsearch appbatchdetachearliest_timeheaderidindex_earliestindex_latestmax_timemaxoutoutputpreviewrt_idtimeouturiwrap

1.1.

./splunk rtsearch 'error' -wrap

false

2.2.rtsearch

./splunk rtsearch

'eventtype=webaccess error | top

clientip'

search appbatchdetachearliest_timeheaderidindex_earliestindex_latestlatest_timemax_timemaxoutoutputpreviewtimeouturiwrap

1.1. ID TTL

./splunk search '*' -detach true

2.2.eventtype=webaccess error

./splunk search

'eventtype=webaccess error' -

wrap 0

set datastore-dirdeploy-polldefault-hostnamedefault-indexminfreembservernameserver-typesplunkd-portweb-portkvstore-port

1.1. Ready

46

./splunk set indexing-ready

2.2.bologna:1234

./splunk set deploy-poll

bologna:1234

show configcluster-bundle-statusdatastore-dirdeploy-polldefault-hostnamedefault-indexjobsminfreembservernamesplunkd-portweb-portkvstore-port

1.1.

./splunk show log-level

2.2.Splunk Enterprise

./splunk show deploy-poll

spool

startstoprestart

splunkdsplunkweb

status splunkdsplunkweb

validate 1.1.indexes.conf

./splunk validate index main

version

CLI CLI

CLI CLI Splunk Enterprise

CLI CLI

Splunk CLI Splunk Splunk CLI cmd

./splunk cmd

CLI

CLI Splunk Enterpr ise CLI Splunk Enterpr ise

CLI uri Splunk Enterprise

uri CLI

CLI

Splunk Free () $SPLUNK_HOME/etc/system/local/server.conf

allowRemoteLogin=always

add oneshot

47

CLI CLI

CLI uri

./splunk command object [-parameter ]... -uri

uri specified-server

[http|https]://name_of_server:management_port

name_of_server Splunk Enterprise IP

uri mgmtHostPort Splunk Enterprise web.conf web.conf

CLI CLI CLI

splunkserver

./splunk search "host=fflanda error 404 *.gif" -uri https://splunkserver:8089

CLI CLI

App App

splunkserver App

./splunk display app -uri https://splunkserver:8089

URI URI

SPLUNK_URI URI URI uri

SPLUNK_URI

$ export SPLUNK_URI=[http|https]://name_of_server:management_port # For Unix shells

C:\> set SPLUNK_URI=[http|https]://name_of_server:management_port # For Windows shell

SPLUNK_URI

$ export SPLUNK_URI=https://splunkserver:8089

CLI CLI

CLI

StartstoprestartStatusversion

CLI CLI CLI

CLI CLI

CLI CLI ()

server.conf

[httpServer]

cliLoginBanner =

48

allowBasicAuth = true|false

basicAuthRealm =

cliLoginBanner =

Splunk CLI ()

cliLoginBanner="Line 1","Line 2","Line 3"

2

cliLoginBanner="This is a line that ""contains quote characters""!"

allowBasicAuth = true|false

Splunk (authtoken) HTTP Basic Splunk true REST Web REST API UI CLI true

basicAuthRealm =

allowBasicAuth Web //splunk

49

Splunk Enterprise Splunk Enterprise Splunk Enterpr ise Splunk Enterpr ise

Splunk Enterprise /

Windows Splunk Enterpr ise Windows Splunk Enterpr ise

Windows Splunk Enterprise C:\Program Files\Splunk Splunk Splunk $SPLUNK_HOME Splunk Enterprise $SPLUNK_HOME(Windows %SPLUNK_HOME%) C:\Program Files\Splunk

Splunk Enterprise splunkd splunkweb 2 splunkdSplunk Web Splunk Enterprise Splunk Enterprise Windows Splunk Enterprise

Windows Splunk

1.1.Splunk Enterprise [] Splunk (Start ->Control Panel -> Administrative Tools -> Services )

Web splunkdWeb ()splunkweb

2.2.NET START NET STOP SplunkEnterprise

Web splunkdWeb ()splunkweb

3.3.%SPLUNK_HOME%\bin

> splunk [start|stop|restart]

Windows Splunk Enterprise Windows Splunk Enterprise

Splunk Enterprise (splunkd splunkweb)

Splunk Web Splunk Web splunkd Splunk Web

Splunk Enterprise

1.1. %SPLUNK_HOME%\etc\system\local

2.2.%SPLUNK_HOME%\etc\system\local\web.conf web.conf %SPLUNK_HOME%\etc\system\local

3.3.web.conf appserverPorts httpport

[settings]

appServerPorts = 0

httpport = 8000

4.4.

5.5.Splunk Enterprise splunkd splunkweb

6.6.http://: Splunk Enterprise

Splunk Enterprise %SPLUNK_HOME%\etc\system\local\web.conf appServerPorts httpport

UNIX Splunk Enterpr ise UNIX Splunk Enterpr ise

Splunk Enterprise *nix 1 splunkd splunkd Splunk Web Splunk Enterprise SplunkEnterprise UNIX Splunk Enterprise

50


Splunk Enterprise

# splunk start

Splunk Enterprise service init.d

# service splunk start

splunkd ( Splunk Web )

# splunk start splunkd

() # splunk start splunkweb

web.conf startwebserver appServerPorts 0 splunkweb splunkweb UNIX Splunk Enterprise

Splunk Enterprise (splunkd splunkweb)

# splunk restart

# splunk restart splunkd

() # splunk restart splunkweb

UNIX Splunk Enterprise UNIX Splunk Enterprise

Splunk Enterprise splunkd splunkweb Splunk Enterprise

Splunk Enterprise

1.1.$SPLUNK_HOME/etc/system/default

2.2.web.conf $SPLUNK_HOME/etc/system/local

3.3.$SPLUNK_HOME/etc/system/local web.conf

4.4.web.conf appserverPorts httpport

[settings]

appServerPorts = 0

httpport = 8000

5.5.

6.6.Splunk Enterprise (UNIX Splunk Enterprise )splunkd splunkweb

7.7.http://: Splunk Enterprise

Splunk Enterprise %SPLUNK_HOME%\etc\system\local\web.conf appServerPorts httpport


Splunk Enterprise

# splunk stop

splunkd Splunk Web

# splunk stop splunkd

() # splunk stop splunkweb

51

Splunk Splunk

Splunk Enterprise

# splunk status

splunkd is running (PID: 3162).

splunk helpers are running (PIDs: 3164).

Splunk Enterprise

splunkweb is running (PID: 3216).

UNIX splunk status Splunk Enterprise

splunk status 0splunk status Linux Standard Base 3 splunk status

Splunk Enterprise ps

# ps aux | grep splunk | grep -v grep

Solaris ps aux -ef

# ps -ef | grep splunk | grep -v grep

Splunk Web Splunk Enterpr ise Splunk Web Splunk Enterpr ise

Splunk Web Splunk

1.1.[] > [][] > []

2.2.[Splunk ][Splunk ]

splunkd splunkweb

Splunk Splunk

Splunk Splunk *nix

root sudo sudo

Windows Windows

Windows Splunk Windows

* nix * nix

Splunk init (OS )

1. Splunk

2. root sudo

3. [sudo] $SPLUNK_HOME/bin/splunk enable boot-start

Root Root

root Splunk -user Splunk

52

bob

[sudo] $SPLUNK_HOME/bin/splunk enable boot-start -user bob

root Splunk Splunk root

1. 2. root 3. /etc/init.d/splunk 4.

su -

5.

MacOS MacOS

Splunk Mac /System/Library/StartupItems Mac Mac Splunk

sudo sudo Mac Splunk

1. 2. App 3. Splunk bin

cd /Applications/Splunk/bin

4.

[sudo] ./splunk enable boot-start

AIX AIX

Splunk Enterprise AIX Splunk Splunk 6.3.0 AIX Splunk Enterprise

AIX Splunk (SRC)

AIX Splunk AIX SRC Splunk

mkssys -G splunk -s splunkd -p -u -a _internal_exec_splunkd -S -n 2 -f 9

mkssys -G splunk -s splunkweb -p -u -a _internal_exec_splunkweb -S -n 15 -f 9

(Splunk Enterprise )

SRC Splunk Enterprise Splunk

/usr/bin/startsrc -s splunkd Splunk /usr/bin/stopsrc -s splunkd Splunk

$SPLUNK_HOME ./splunk [start|stop] SRC

Splunk boot-start is enabled. Please use /usr/bin/[startsrc|stopsrc] -s splunkd to [start|stop] Splunk.

$SPLUNK_HOME Splunk Enterprise

[sudo] ./splunk disable boot-start

mkssys IBM pSeries AIX Information Center Web Mkssys command (http://publib.boulder.ibm.com/infocenter/pseries/v5r3/index.jsp?topic=/com.ibm.aix.cmds/doc/aixcmds3/mkssys.htm) SRC IBM (https://www-01.ibm.com/support/knowledgecenter/#!/ssw_aix_71/com.ibm.aix.genprogc/src.htm)

53

Splunk root AIX Splunk root AIX

1. AIX 2. root sudo

AIX sudo

3. Splunk bin 4.

[sudo] ./splunk enable boot-start

Splunk root AIX Splunk root AIX

1. AIX 2. root sudo

AIX sudo

3. Splunk splunk

[sudo] mkuser splunk

[sudo] chown -R splunk

4. Splunk bin 5. -user

[sudo] ./splunk enable boot-start -user

Splunk

[sudo] $SPLUNK_HOME/bin/splunk disable boot-start

Windows Windows

Windows Splunk Windows [] Splunk (splunkd splunkweb)

$SPLUNK_HOME/etc/init.d/READMESplunk help boot-start

Splunk

Enterprise (60 ) 500 MB/

Enterprise

Splunk Splunk

Splunk splunk.com [MyOrders]

Splunk Web [] > [][] > []

Splunk Enterprise

54

Splunk Enterprise

*nix setenv export

# export SPLUNK_HOME = /opt/splunk02/splunk

Splunk Enterprise

Windows PowerShell set

C:\> set SPLUNK_HOME = "C:\Program Files\Splunk"

SPLUNK_HOME Splunk Enterprise

SPLUNK_DB Splunk Enterprise

SPLUNK_BINDIP Splunk Enterprise IP IP

SPLUNK_IGNORE_SELINUX

SELinux Linux Splunk Enterprise SELinux Splunk Enterprise SplunkEnterprise SELinux

SPLUNK_OS_USER

Splunk Enterprise splunkroot Splunk Enterprise splunksplunk

SPLUNK_SERVER_NAME splunkd (Windows ) (*nix )

SPLUNK_WEB_NAME splunkweb (Windows ) (*nix )

splunk-launch.conf (web.conf) Splunk splunk-launch.conf

Splunk Enterprise (admin/changeme) Splunk

55

10

Splunk WebSplunk Web

1. Splunk Web 2. [][] 3. [] [][] 4. [][] 5. [][] 6. [][]

CLICLI

Splunk CLI

splunk edit user

CLI Splunk Enterprise -auth changeme foo

splunk edit user admin -password foo -role admin -auth admin:changeme

*nix \ (')

splunk edit user admin -password 'FFL14io!23ur$' -role admin -auth admin:changeme

splunk edit user admin -password FFL14io!23ur\$ -role admin -auth admin:changeme

Windows (^) (")

splunk edit user admin -password "FFL14io!23ur>" -role admin -auth admin:changeme

splunk edit user admin -password FFL14io!23ur^> -role admin -auth admin:changeme

Splunk Enterprise

HTTP/HTTPS HTTP/HTTPS Splunk Web 8000 appserverappserver 8065splunkd Splunk Web splunkd 8089 KV KV 8191

Splunk 9997


56

1. Splunk Web 2. [][] 3. [] [][] 4. [] 5. [][] [Web ][Web ] [][]


Splunk CLI CLI set Splunk Web 9000

splunk set web-port 9000

splunkd 9089

splunk set splunkd-port 9089

Splunk Splunk

Splunk Splunk Web Splunk

Splunk DNS IP


Splunk

1. Splunk Web 2. [][] 3. [] [][] 4. [] 5. [Splunk ][Splunk ] [][]


CLI set servername foo

splunk set servername foo

Splunk


1. Splunk Web 2. [][] 3. [] [][] 4. [] 5. [][] [][] 6. CLI Splunk Enterprise $SPLUNK_HOME/bin/ (*nix) %SPLUNK_HOME%\bin

(Windows)

splunk restart

CLI


CLI set datastore-dir /var/splunk/

57

splunk set datastore-dir /var/splunk/

Splunk


1. Splunk Web 2. [][] 3. [] [][] 4. [] 5. [][] [][]


CLI set minfreemb 2000 MB

splunk set minfreemb 2000

& App 24 24 App [general_default] SPLUNK_HOME/etc/apps/user-prefs/local/user-prefs.conf

& App Splunk Apps


1.1.Splunk Web

2.2.[][]

3.3.[][]

4.4.[][]

5.5.[][] [][]

ui_prefs.conf

ui-prefs.conf ui-prefs.conf Splunk Web

ui-prefs.conf

Splunk Web []

user-prefs.conf

ui-prefs.conf

Splunk IP Splunk IP

Splunk IP Splunk IP 0.0.0.0 IP

58

Splunk IP Splunk (splunkd)

TCP 8089 ()

SplunkTCP TCP UDP

Splunk Web IP web.conf server.socket_host

Splunk SPLUNK_BINDIP=

$SPLUNK_HOME/etc/splunk-launch.conf SPLUNK_BINDIP Splunk 127.0.0.1 () splunk-launch.conf

# Modify the following line to suit the location of your Splunk install.

# If unset, Splunk will use the parent of the directory this configuration

# file was found in

#

# SPLUNK_HOME=/opt/splunk

SPLUNK_BINDIP=127.0.0.1

web.conf mgmtHostPort 127.0.0.1:8089 SPLUNK_BINDIP 127.0.0.1mgmtHostPort IP splunk-launch.conf

SPLUNK_BINDIP=10.10.10.1

web.conf ( 8089 )

mgmtHostPort=10.10.10.1:8089

mgmtHostPort web.conf

IP v6 IP v6

4.3 web.conf mgmtHostPort IPv6 splunkd IPv6 (Splunk IPv6 server.conf ) 127.0.0.1:8089 [::1]:8089

Splunk IPv6 Splunk IPv6

Splunk IPv6

Splunk TCP UDP server.conf server.confinputs.conf inputs.conf

Splunk 4.3 IPv6 IPv6 Splunk WebCLI

IP v6 IP v6

Splunk OS ( OS)IPv6

HPUX PA-RISCSolaris 89AIX

IP v6 Splunk IP v6 Splunk

59

Splunk IPv6

IPv6 DNS IPv4 IPv4 IPv6

IPv6 IPv4

IPv4 DNS IPv6

Splunk IPv6 $SPLUNK_HOME/etc/system/local server.conf

listenOnIPv6=[yes|no|only]

yes splunkd IPv6 IPv4 no splunkd IPv4 only Splunk IPv6

connectUsingIpVersion=[4-first|6-first|4-only|6-only|auto]

4-first splunkd IPv4 IPv6 6-first 4-first Web IPv6 IPv6 4-only splunkd DNS IPv6 6-only splunkd DNS IPv4 auto splunkd listenOnIPv6

splunkd IPv4 4-only splunkd IPv6 6-only splunkd 6-first

DNS connectUsingIpVersion = 6-first IPv4 ("server=10.1.2.3:9001")

IP v6 IP v6

IPv6 Splunk IPv6 listenOnIPv6 [udp], [tcp], [tcp-ssl], [splunktcp] [splunktcp-ssl] inputs.conf server.conf

IP v6 IP v6

Splunk IPv6 outputs.conf

[tcpout] server [host]:port IPv6 [tcpout-server] [host]:port IPv6 [syslog] server [host]:port IPv6

IP v6 IP v6

Splunk IPv6 distsearch.conf

servers [host]:port IPv6 heartbeatMcastAddr IPv6 Splunk 4.3

IP v6 Splunk Web IP v6 Splunk Web

Web IPv6 splunkweb splunkd 4.3 web.conf listenOnIPv6 server.conf Splunk Web

web.conf mgmtHostPort IPv6 splunkd IPv6 ( server.conf ) 127.0.0.1:8089 [::1]:8089

Splunk CLI IP v6Splunk CLI IP v6

Splunk CLI IPv6 splunkd mgmtHostPort web.conf $SPLUNK_URI -uri -uri IPv6 IP -uri"[2001:db8::1]:80"

60

"[2001:db8::1]:80"

IP v6 SSOIP v6 SSO

IPv6 SSO trustedIP web.conf server.conf

web.conf mgmtHostPort trustedIP

[settings]

mgmtHostPort = [::1]:8089

startwebserver = 1

listenOnIPv6=yes

trustedIP=2620:70:8000:c205:250:56ff:fe92:1c7,::1,2620:70:8000:c205::129

SSOMode = strict

remoteUser = X-Remote-User

tools.proxy.on = true

SSO Splunk Enterprise


Splunk LDAP (SSL) Splunk SSL

Splunk Enterprise Splunk SplunkEnterprise

Splunk Inc. (Splunk) Splunk

Splunk AppsSplunk Apps

App App

Splunk Apps for AWSSplunk Apps for AWS Splunk Splunk Splunk Splunk DB Connect Splunk DB Connect Splunk Apps for ServiceNowSplunk Apps for ServiceNow Splunk Splunk Apps for AkamaiSplunk Apps for Akamai Splunk

Splunk Splunk

Splunk Splunk

/ /

> >

> >

True-up

61

Web

> > > >

Web

> >

Web

> > > >

Web

> >

Splunk

SplunkApps

App

App

App

App

Diag

Diag

() Splunk Web

[][][][][OK][OK]

[OK][OK][] > [][] > []

edit_telemetry_settings

62

Splunk Web

1. [] > [][] > [] 2.

Javascript splkmobile URL Splunk Web

component JSON

Splunk Enterprise 7.0.0 Splunk Enterprise 7.0.0

Splunk Enterprise 7.0.0 GUID

> > 6.6.0 Splunk Enterprise 6.5.0 Splunk Enterprise Splunk Enterprise6.4.x > >

Splunk Enterprise version 7.0.0

App

App


Splunk Enterprise

Splunk GUID

App App

licensing.stack

63

ID licensing.stack

deployment.clustering.indexer

deployment.clustering.member

deployment.clustering.searchhead

Splunk OS/CPU Splunk

deployment.forwarders

deployment.distsearch.peer

deployment.index

deployment.licensing.slave

GUID (/) CPU () OS/Splunk

deployment.node

deployment.node

performance.indexing

performance.search

deployment.shclustering.member

usage.indexing.sourcetype

usage.users.active

usage.search.type

usage.search.concurrent

App

deployment.app

App

usage.app.page

IdId IdId Id Iddata.guid GUID

app.session.session_start

app.session.pageview

64

app.session.dashboard.pageview

app.session.pivot.load

app.session.pivot.interact

app.session.search.interact

licensing.stack

ID licensing.stack

Splunk JSON ID JSON

{

"component": "deployment.app",

"data": {

"name": "alert_logevent",

"enabled": true,

"version": "7.0.0",

"host": "ip-10-222-17-130"

},

"visibility": "anonymous,support",

"timestamp": 1502845738,

"date": "2017-08-15",

"transactionID": "01AFCDA0-2857-423A-E60D-483007F38C1A",

"executionID": "2A8037F2793D5C66F61F5EE1F294DC",

"version": "2",

"deploymentID": "9a003584-6711-5fdc-bba7-416de828023b"

}

JSON

[]

deployment.app

App

{

"name": "alert_logevent",

"enabled": true,

"version": "7.0.0",

"host": "ip-10-222-17-130"

}

{

"host": "docteam-unix-5",

65

deployment.clustering.indexer

"summaryReplication": true,

"siteReplicationFactor": null,

"enabled": true,

"multiSite": false,

"searchFactor": 2,

"siteSearchFactor": null,

"timezone": "-0700",

"replicationFactor": 3

}

deployment.clustering.member

{

"site": "default",

"master": "ip-10-212-28-184",

"member": {

"status": "Up",

"guid": "471A2F25-CD92-4250-AA17-4E49819B897A",

"host": "ip-10-212-28-4"

}

}

deployment.clustering.searchhead

{

"site": "default",

"master": "ip-10-222-27-244",

"searchhead": {

"status": "Connected",

"guid": "1D4D422A-ADDE-437D-BA07-2B0C319D23BA",

"host": "ip-10-212-55-3"

}

}

deployment.distsearch.peer

{

"peer": {

"status": "Up",

"guid": "472A5F22-CC92-4220-AA17-4E48919B897A",

"host": "ip-10-222-21-4"

},

"host": "ip-10-222-27-244"

}

deployment.forwarders

{

"hosts": 168,

"instances": 497,

"architecture": "x86_64",

"os": "Linux",

"splunkVersion": "6.5.0",

"type": "uf",

"bytes": {

"min": 389,

"max": 2291497,

"total": 189124803,

"p10": 40960,

"p20": 139264,

"p30": 216064,

"p40": 269312,

"p50": 318157,

"p60": 345088,

"p70": 393216,

"p80": 489472,

"p90": 781312

}

}

{

"name": "_audit",

"type": "events",

"total": {

"rawSizeGB": null,

"maxTime": 1502845730.0,

"events": 1,

"maxDataSizeGB": 488.28,

"currentDBSizeGB": 0.0,

"minTime": 1502845719.0,

66

deployment.index

"buckets": 0

},

"host": "ip-10-222-17-130",

"buckets": {

"thawed": {

"events": 0,

"sizeGB": 0.0,

"count": 0

},

"warm": {

"sizeGB": 0.0,

"count": 0

},

"cold": {

"events": 0,

"sizeGB": 0.0,

"count": 0

},

"coldCapacityGB": "unlimited",

"hot": {

"sizeGB": 0.0,

"max": 3,

"count": 0

},

"homeEventCount": 0,

"homeCapacityGB": "unlimited"

},

"app": "system"

}

}

deployment.licensing.slave

{

"master": "9d5c20b4f7cc",

"slave": {

"pool": "auto_generated_pool_enterprise",

"guid": "A5FD9178-2E76-4149-9FGF-55DCE35E38E7",

"host": "9d5c20b4f7cc"

}

}

deployment.node

{

"guid": "123309CB-ABCD-4BC9-9B6A-185316600F23",


"os": "Linux",

"osExt": "Linux",

"osVersion": "3.10.0-123.el7.x86_64",


"cpu": {

"coreCount": 2,

"utilization": {

"min": 0.01,

"p10": 0.01,

"p20": 0.01,

"p30": 0.01,

"p40": 0.01,

"p50": 0.02,

"p60": 0.02,

"p70": 0.03,

"p80": 0.03,

"p90": 0.05,

"max": 0.44

},

"virtualCoreCount": 2,

"architecture": "x86_64"

},

"memory": {

"utilization": {

"min": 0.26,

"max": 0.34,

"p10": 0.27,

"p20": 0.28,

"p30": 0.28,

67

"p40": 0.28,

"p50": 0.29,

"p60": 0.29,

"p70": 0.29,

"p80": 0.3,

"p90": 0.31

},

"capacity": 3977003401

},

"disk": {

"fileSystem": "xfs",

"capacity": 124014034944,

"utilization": 0.12

}

}

depoyment.shclustering.member

{

"site": "default",

"member": {

"status": "Up",

"guid": "290C48B1-50D3-48C9-AF86-14F43000CC5C",

"host": "ip-10-222-19-223"

},

"captain": "ip-10-222-19-253"

}

licensing.stack

{

"type": "download-trial",

"guid": "4F735357-F278-4AD2-BBAB-139A85A75DBB",

"product": "enterprise",

"name": "download-trial",

"licenseIDs": [

"553A0D4F-3B7B-4AD5-B241-89B94386A07F"

],

"quota": 524288000,

"pools": [

{

"quota": 524288000,

"consumption": 304049405

}

],

"consumption": 304049405,

"subgroup": "Production",

"host": "docteam-unix-9"

}

performance.indexing

{


"thruput": {

"min": 412,

"max": 9225,

"total": 42980219,

"p10": 413,

"p20": 413,

"p30": 431,

"p40": 450,

"p50": 474,

"p60": 488,

"p70": 488,

"p80": 488,

"p90": 518

}

}

performance.search

{

"latency": {

"min": 0.01,

"max": 1.33,

"p10": 0.02,

"p20": 0.02,

"p30": 0.05,

"p40": 0.16,

"p50": 0.17,

68

"p60": 0.2,

"p70": 0.26,

"p80": 0.34,

"p90": 0.8

}

}

app.session.dashboard.pageview

{

"dashboard": {

"autoRun": false,

"hideEdit": false,

"numCustomCss": 0,

"isVisible": true,

"numCustomJs": 0,

"hideFilters": false,

"hideChrome": false,

"hideAppBar": false,

"hideFooter": false,

"submitButton": false,

"refresh": 0,

"hideSplunkBar": false,

"hideTitle": false,

"isScheduled": false

},

"numElements": 1,

"numSearches": 1,

"numPanels": 1,

"elementTypeCounts": {

"column": 1

},

"layoutType": "row-column-layout",

"searchTypeCounts": {

"inline": 1

},

"name": "test_dashboard",

"numFormInputs": 0,

"formInputTypeCounts": {},

"numPrebuiltPanels": 0,

"app": "search"

}

}

app.session.pivot.interact

{

"eventAction": "change",

"eventLabel": "Pivot - Report Content",

"numColumnSplits": 0,

"reportProps": {

"display.visualizations.charting.legend.placement": "none",

"display.visualizations.type": "charting",

"earliest": "0",

"display.statistics.show": "1",

"display.visualizations.charting.chart": "column",

"display.visualizations.charting.axisLabelsX.majorLabelStyle.rotation":

"-90",

"display.visualizations.show": "1",

"display.general.type": "visualizations"

},

"numRowSplits": 1,

"eventCategory": "PivotEditorReportContent",

"app": "search",

"page": "pivot",

"numAggregations": 1,

"numCustomFilters": 0,

"eventValue": {},

"locale": "en-US",

"context": "pivot"

}

{

"eventAction": "load",

"eventLabel": "Pivot - Page",

"numColumnSplits": 0,

69

app.session.pivot.load

"reportProps": {

"display.visualizations.charting.legend.placement": "none",

"display.visualizations.type": "charting",

"earliest": "0",

"display.statistics.show": "1",

"display.visualizations.charting.chart": "column",

"display.visualizations.show": "1",

"display.general.type": "visualizations"

},

"numRowSplits": 1,

"eventCategory": "PivotEditor",

"app": "search",

"page": "pivot",

"numAggregations": 1,

"numCustomFilters": 0,

"locale": "en-US",

"context": "pivot"

}

app.session.search.interact

app.session.pageview

{

"app": "launcher",

"page": "home"

}

app.session.session_start

{

"app": "launcher",


"os": "Ubuntu",

"browser": "Firefox",

"browserVersion": "38.0",

"locale": "en-US",

"device": "Linux x86_64",

"osVersion": "not available",

"page": "home",

"guid": "2550FC44-64E5-43P5-AS44-6ABD84C91E42"

}

usage.app.page

App

{

"app": "search",

"locale": "en-US",

"occurrences": 1,

"page": "datasets",

"users": 1

}

usage.indexing.sourcetype

{

"name": "vendor_sales",

"bytes": 2026348,

"events": 30245,

"hosts:" 1

}

usage.search.concurrent

{


"searches": {

"min": 1,

"max": 11,

"p10": 1,

"p20": 1,

"p30": 1,

"p40": 1,

"p50": 1,

"p60": 1,

"p70": 1,

"p80": 2,

"p90": 3

}

}

usage.search.type

{

"ad-hoc": 1428,

70

usage.search.type "scheduled": 225

}

usage.users.active

{

"active": 23

}

[]

licensing.stack

{

"type": "download-trial",

"guid": "4F735357-F278-4AD2-BBAB-139A85A75DBB",

"product": "enterprise",

"name": "download-trial",

"licenseIDs": [

"553A0D4F-3B7B-4AD5-B241-89B94386A07F"

],

"quota": 524288000,

"pools": [

{

"quota": 524288000,

"consumption": 304049405

}

],

"consumption": 304049405,

"subgroup": "Production",


}

Splunk

MINT Splunk Splunk

Splunk ID Splunk ID Splunk

Splunk

Splunk

1. Splunk Web 2. [] > [][] > [] 3. [][] 4. 5. [][] [][] Splunk

3 05 1 1 71

Splunk Enterprise 3 05

1


Splunk _telemetry _telemetry 2 256 MB

App $SPLUNK_HOME/etc/apps/splunk_instrumentation

Splunk Splunk Splunk Splunk Enterprise SplunkApps Splunk Splunk Web

Splunk Web Javascript quickdraw.splunk.com

Splunk Enterprise web.conf updateCheckerBaseURL 0

Splunk Apps App app.conf check_for_updatesfalse

Splunk Enterprise

CPU x86_64

Linux

Enterprise

Splunk

GUID Enterprise, Production,

Splunk 7.0.0

App

App 1.0

Splunk 7.0

Linux

Website

72

Splunk Splunk Splunk Enterpr ise Splunk Enterpr ise

Splunk Enterprise Splunk

Splunk Enterprise ( 0 0 )

Splunk Enterprise SplunkEnterprise

Splunk Enterprise Enterprise Splunk

72 72 ()


Splunk Enterprise 60 Enterprise 60 Splunk Enterprise 500 MB/

60 (Enterprise )SplunkFree Splunk Free Splunk Enterprise 500 MB/

Splunk Free / (Splunk Web CLI )

60 Splunk Enterprise Enterprise Splunk

Enterprise SplunkEnterprise Enterprise Splunk

150

Splunk Splunk


Enterprise Enterprise SplunkEnterprise 6.5.0 Enterprise Free Free Forwarder Beta Enterprise Splunk App Enterprise Cloud App


74

Splunk Enterprise Splunk SplunkEnterprise Enterprise Splunk

Enterprise

Splunk Enterprise 6.5.0 Enterprise 30 5

Enterprize Enterprise

Enterprise Enterprise

Splunk Enterprise 500 MB/Enterprise Splunk 60 Enterprise Splunk Free

Splunk Enterprise Enterprise Free

Enterprise

Sales Sales

Splunk Sales Enterprise Enterprise Splunk 60 Splunk Sales

//

Splunk //Splunk Web // 6.5.0 SplunkEnterprise

/ Enterprise Enterprise Dev/Test Enterprise

F ree F ree

Free 500 MB/

Enterprise Splunk Free Splunk Free

TCP/HTTP ( Splunk Splunk ) ()/LDAP

Splunk /index=*Splunk

Splunk Free

EnterpriseEnterprise6.5.0 6.5.0

EnterpriseEnterprise

//

EnterpriseEnterprise FreeFree

no

75

Splunk Web

no no

Enterprise no no

F orwarder F orwarder

()()

Forwarder Splunk

Forwarder Forwarder Enterprise Splunk

Beta Beta

Splunk Splunk Splunk Free Enterprise Beta Enterprise Splunk

() ()

Splunk Splunk

Search head () Entereprise Entereprise Enterprise ()

4.2 Forwarder Forwarder

() ()

Splunk Splunk

Enterprise ()

Splunk Enterprise

Splunk Free Splunk Free Enterprise SplunkFree

76

Splunk

Enterprise Sales Enterprise Splunk Enterprise Enterprise Enterprise Enterprise Sales Splunk Free Splunk Free Forwarder Forwarder /Enterprise Enterprise /Enterprise

1 1 Splunk 1 1

Enterprise/Sales -- Enterprise Sales ( Enterprise Enterprise ) Enterprise -- Splunk Enterprise Enterprise Enterprise Free -- Splunk Free Enterprise 60 Splunk Free Splunk Free Forwarder -- Splunk Splunk [] Splunk Forwarder Forwarder

[DevTest] (/)[Production] () 1

Splunk Enterprise 6.5.0 Splunk Enterprise 6.5.0 Production

Splunk

77

0 Splunk

1

1

Splunk /Enterprise

Splunk Splunk Enterprise Splunk

1. [] > [][] > [] 2. [][] 3. [][] [ XML [ XML

...]...] /Enterprise

4. [][] Enterprise Splunk Enterprise

Splunk


2

Splunk 1 Enterprise Splunk Enterprise 500 MB60 Enterprise 1 Enterprise

1 2

( 5 )

78

6.1.x 5.x, 6.0.x|6.1.x

6.2.x 5.x6.0.x6.1.x6.2.x

6.3.x 5.x6.0.x6.1.x6.2.x6.3.x

6.4.x 5.x6.0.x6.1.x6.2.x6.3.x6.4.x

6.5.x 5.x6.0.x6.1.x6.2.x6.3.x6.4.x6.5.x

6.6.x 5.x6.0.x6.1.x6.2.x6.3.x6.4.x6.5.x6.6.x

Splunk 1 Enterprise

Enterprise 1

Splunk

Splunk Splunk Splunk CLI

1.1.Splunk Web [] > [][] > []

2.2.[][]

3.3. [ Splunk ]] [ Splunk ][ Splunk ]

4.4.IP Splunk Splunk ( 8089)

IP IPv4 IPv6 IPv6 Splunk IPv6

5.5.[] Enterprise Splunk

[] > [][] > [] [][] Enterprise Splunk

1


79

CLI

Splunk 500 MB60 Enterprise Splunk 1 Enterprise

[] > [][] > [] 100 MB Enterprise Splunk

Enterprise Splunk Splunk Enterprise Enterprise auto_generated_pool_enterprise

1.1. [][] []

2.2.

3.3.[]

Enterprise auto_generated_pool_enterprise [][]

80

1.1. []

2.2.

3.3. ()

4.4.

5.5.


URI

2

1.1. URI

2.2.[][] [] []

1.1. URI

2.2.[[]]

CLI CLI

Splunk CLI



Splunk CLI

Splunk REST API REST API

CLI CLI 81

Splunk CLI

add licenseslicenser-poolsEnterprise

edit licenser-localslavelicenser-pools

Enterprise

list

licenser-groupslicenser-localslavelicenser-messageslicenser-poolslicenser-slaveslicenser-stackslicenses

remove licenser-poolslicenses

licenser-groups

licenser-localslave

licenser-messages

licenser-pools

1

licenser-slaves

licenser-stacks

licenses Splunk

./splunk add licenses /opt/splunk/etc/licenses/enterprise/enterprise.lic

./splunk list licenses

list (features) (group_idstack_id) (quota)(license_hash)

./splunk remove licenses BM+S8VetLnQEb1F+5Gwx9rR4M4Y91AkIE=781882C56833F36D

1 (Enterprise )

82

./splunk list licenser-pools

./splunk add licenser-pools pool01 -quota 10mb -slaves guid1,guid2 -stack_id enterprise

()

./splunk edit licenser-pools pool01 -description "Test" -quota 15mb -slaves guid3,guid4 -append_slaves true

Test 10 MB 15 MB guid3 guid4 (guid1 guid2 )

./splunk remove licenser-pools pool01

1

./splunk list licenser-slaves

./splunk list licenser-localslave

(splunkd URI self)

./splunk edit licenser-localslave -master_uri 'https://master:port'

list ()

./splunk list licenser-messages

83

Splunk Splunk

Splunk Enterprise

Splunk CLI

1

1.1.[] > [][] > []

2.2. [][]

3.3. [][]

[] [] > [ ][] > [ ] []

Splunk Splunk Enterprise Splunk Enterprise

1 30Enterprise 5 Free 3 Splunk Enterprise 6.5.0

30 5 Enterprise 3 Free Enterprise

Splunk Enterprise 6.5.0 Splunk

( _internal _introspection)

0 () 30

Splunk Splunk Splunk Enterprise 6.5.0 Splunk

84

_internal

Splunk Web []

[] > [][] > [] [][]

( 0 ) ( 0 ) ( 0 )1 30

72 72 ()

splunkd.log failedto transfer rows _internal

Splunk Enterprise

[]

0 Splunk 0 ()

Splunk Enterprise 6.5.0 Enterprise

150

AnswersAnswers

Splunk AnswersSplunk

85

1.1.

() [] > [][] > [] Splunk

2.2.

3.3.

[] > [][] > [] URL URL [][] Splunk

4.4.

5.5.

[] > [] > [][] > [] > [] [] (Splunk Enterprise Splunk Enterprise )

6.6.Splunk Enterprise /opt/splunk/etc/licenses/enterprise/()

7.7.Splunk Enterprise

86


(LURV) Splunk Splunk 30

LURV 2 () 30

LURV []

[]> []> [][]> []> [] LURV ( 1 )

[] []

LURV [] 5 0

[] Splunk REST API

[] []

[] []

[] []

[][]

30 ()

[][]

[ 30 ] [ 30 ]

[ 30 ] 5

() 10 timechart 10

license_usage.logtype=RolloverSummary () 0 RolloverSummary

87

3

4 split-by

1 license_usage.log type=Usage ( 1 30 )

[] > [[] > [] > []] > []

10 Splunk

()

auto_summarize savedsearches.conf 10 10 3 cron auto_summarize.cron_schedule

() squash_threshold Splunk {} {} license_usage.log

split-by () split-by Splunk

server.conf [license] squash_threshold Splunk

LURV Splunk Web

per_host_thruput metrics.log

5 5

[ 5] [] 5

5 5 F F () 5 F

150

30 30

88

LURV LURV

LURV

(LURV) Splunk

LURV 80%

[][] []

| where '% used' > 80

[] > [][] > []

Splunk Enterprise

LURV 30 LURV 30

[ 30 ] $SPLUNK_HOME/var/log/splunk/license_usage.log

2

() $SPLUNK_HOME/var/log/splunk () [monitor://$SPLUNK_HOME/var/log/splunk]

0

89

App App App App

App (KV ) Splunk Apps

Splunk Apps KV

App UI Splunk

KV Splunk Apps App

KV KV

KV

App ( ) ( ) JSON () _key_key ID _key App _user_user ID

KV

KV KV KV

KV Splunk Enterprise 64 ()32 Splunk Enterprise KV Splunk Enterprise

KV 8191 server.conf [kvstore] Splunk Enterprise

KV server.conf.specKV

Splunk FIPS Splunk FIPS

KV FIPS server.conf.specKV

Splunk FIPS

FIPS (caCertFilesslKeysPath sslKeysPassword) KV splunkd.log splunk start

App KV App KV

Splunk Enterprise 6.2 KV

KV App $SPLUNK_HOME/etc/apps//default collections.conf transforms.conf external_type = kvstore

KV KV

KV

1.1. REST API

90

2.2. Splunk REST API create-read-update-delete (CRUD)

3.3.REST API

Splunk Enterpr ise KVSplunk Enterpr ise KV

2 KV Splunk Enterprise KV

KV Splunk Enterprise KV

KV KV

KV KV

KV KV

KV

1. KV 2. Splunk Enterprise bin 3. ./splunk show kvstore-status KV

KV 4. replicationStatus KV KV

KV KV

1 KV

1 KV ( -source sourceId ) KV KV

1. CLI splunk show shcluster-status

2. 3. splunk resync kvstore [-source sourceId]

4. 5. 6. splunk show kvstore-status

1. KV 2. splunk clean kvstore --local 3. KV 4. splunk show kvstore-status

KV KV App KV (oplog)

KV KV ( 1 GB)oplog KV KV 5 3 ( 2 1 ) oplog ()

KV KV

1. KV splunk show shcluster-status CLI

91

2. 3. $SPLUNK_HOME/bin 4. splunk show kvstore-status 5. oplog

1

()oplog KV oplog RAM Splunk KV 1 GB

1. CLI splunk show shcluster-status

2. 3. server.conf / [kvstore] / oplogSize ()

1000 (MB ) 4.

1. 2. Splunk Enterprise 3. splunk clean kvstore --local 4. KV

5. splunk show kvstore-status

KV KV

KV

KV KV

1. KV KV Splunk

2. server.conf [kvstore] dbPath

3. $SPLUNK_DB kvstore /var/lib/splunk/kvstore

KV

KV KV

::KV KV Splunk KV collections.conf KV collections.conf KV

KV kvstore 3

1. KV 2. 3. KV 4.

KV KV

KV 3

1. KV 2.

1.

2. 3. KV 4.

KV KV

Splunk Enterprise

1. () KV

92

2. KV 1 KV 3 3

KV KV replication_factor=1Splunk KV KV splunk clean kvstore -clusterSplunk KV replication_factor

KV KV

KV Splunk Enterprise

KV KV

REST API GET () KV KV (Splunk Enterprise )

KV CLI KV CLI

KV $SPLUNK_HOME/bin

./splunk show kvstore-status

Splunk CLI CLI

KV REST KV REST

REST API cURL GET ()

curl -k -u user:pass https://:/services/kvstore/status

REST API REST API

KV KV

status replicationStatus KV mongod.log splunkd.log

KV KV

ready ready ()

disabled server.conf KV KV

KV

Splunk KV

KV KV

93

KV KV

KV

KV

KV 1 mongod.log splunkd.log

KV

//

mongod.log splunkd.log

This member:

date : Tue Jul 21 16:42:24 2016

dateSec : 1466541744.143000

disabled : 0

guid : 6244DF36-D883-4D59-AHD3-5276FCB4BL91

oplogEndTimestamp : Tue Jul 21 16:41:12 2016

oplogEndTimestampSec : 1466541672.000000

oplogStartTimestamp : Tue Jul 21 16:34:55 2016

oplogStartTimestampSec : 1466541295.000000

port : 8191

replicaSet : splunkrs

replicationStatus : KV store captain

standalone : 0

status : ready

Enabled KV store members:

10.140.137.128:8191

guid : 6244DF36-D883-4D59-AHD3-5276FCB4BL91

hostAndPort : 10.140.137.128:8191

10.140.137.119:8191

guid : 8756FA39-F207-4870-BC5D-C57BABE0ED18

hostAndPort : 10.140.137.119:8191

10.140.136.112:8191

guid : D6190F30-C59A-423Q-AB48-80B0012317V5

hostAndPort : 10.140.136.112:8191

KV store members:

10.140.137.128:8191

configVersion : 1

electionDate : Tue Jul 21 16:42:02 2016

electionDateSec : 1466541722.000000

hostAndPort : 10.140.134.161:8191

optimeDate : Tue Jul 21 16:41:12 2016

optimeDateSec : 1466541672.000000

replicationStatus : KV store captain

uptime : 108

10.140.137.119:8191

configVersion : 1

hostAndPort : 10.140.134.159:8191

lastHeartbeat : Tue Jul 21 16:42:22 2016

lastHeartbeatRecv : Tue Jul 21 16:42:22 2016

lastHeartbeatRecvSec : 1466541742.490000

lastHeartbeatSec : 1466541742.937000

optimeDate : Tue Jul 21 16:41:12 2016

optimeDateSec : 1466541672.000000

pingMs : 0

replicationStatus : Non-captain KV store member

uptime : 107

10.140.136.112:8191

configVersion : -1

94

hostAndPort : 10.140.133.82:8191

lastHeartbeat : Tue Jul 21 16:42:22 2016

lastHeartbeatRecv : Tue Jul 21 16:42:00 2016

lastHeartbeatRecvSec : 1466541720.503000

lastHeartbeatSec : 1466541742.959000

optimeDate : ZERO_TIME

optimeDateSec : 0.000000

pingMs : 0

replicationStatus : Down

uptime : 0

KV KV

KV splunkd.log mongod.log Splunk Web Splunk

KV REST/services/messages cURL GET

curl -k -u user:pass https://:/services/messages

REST API

KV KV

2 KV Splunk Enterprise KV

KV Splunk Enterprise KV

95

Splunk Apps Splunk Apps App App

App App Splunk Enterprise

AppApp 1 Splunk Enterprise Splunk Apps

Splunk Enterprise App

App App dev.splunk.com

AppApp

AppApp Splunk Enterprise Splunk Enterprise App App Splunk Enterprise App Splunk Apps for Microsoft ExchangeSplunk Apps forEnterprise SecuritySplunk DB Connect App 1

Splunk Enterprise App Splunk Add-on for Checkpoint OPSECLEASplunk Add-on for BoxSplunk Add-on for McAfee

App App

Splunk App Splunk App App SplunkBase Splunk Splunk SplunkBase App SplunkBase App

Splunk SplunkBase Splunk SupportedSplunk Supported App App App SplunkBase Developer SupportedDeveloper Supported Splunk SplunkBase Community SupportedCommunity Supported App

Developer supported.png Community supported.png

App App Splunk Splunk App Splunk Splunk App SplunkBase Splunk Splunk SplunkBase Splunk SupportedSplunk Supported Splunk App

App App

Splunk Splunk App

96

Splunk App App Splunk App

App ( App )

Splunk Splunk /

App Splunk Web App Splunk Web

Splunk Splunk Web App App

App App

App

Splunk

1. Splunk Web [] > [][] > [] 2. [][] 3. 4. [ App][ App] App 5. []

App App

App App App

1. $SPLUNK_HOME/etc/apps/user-prefs/local/user-prefs.conf (*nix) %SPLUNK_HOME%\etc\apps\user-prefs\local\user-prefs.conf (Windows )

2. [general_default]default_namespace = search

3. Splunk Enterprise

User-prefs.conf.spec

App App

App App Splunk Web

App App

97

1. Splunk Web [] > [][] > [] 2. [][] 3. 4. [ App][ App] App 5. []

App App

App App (user-prefs.conf )

App

App App

SplunkBase App https://splunkbase.splunk.comhttps://splunkbase.splunk.com SplunkEnterprise App

Splunk Enterprise App

App + + App

AppApp App [App [App ]] App

Splunk Web SplunkBase Splunk Web HTTP_PROXY

Splunk Enterprise SplunkBase App

1.1.Splunkbase App

2.2.App

3.3. Splunk Enterprise

4.4.App $SPLUNK_HOME/etc/apps

5.5.tar -xvf (*nix) WinZip (Windows) App SplunkApps tar gzip .SPL

6.6.App Splunk Enterprise

7.7.App Splunk (Web UI )

App App 98

Splunk Splunk Apps

App Splunk Apps Splunk Splunk

Splunk Apps Splunk

Splunk App Splunk

() (/) ( Splunk Cloud)

2 Splunk Enterprise

1 Splunk Enterprise SplunkEnterprise SplunkEnterprise / SplunkEnterprise

App SplunkbaseSplunkbase App Splunk WebSplunk Web App

App Splunk Web App

App

Splunk Web App App

App AppApp Splunk Enterprise

App

ChefPuppetSaltWindows

Splunk Apps App Splunk Enterprise App

App App

Splunk

App

App App Splunk Enterprise App

99

apply shcluster-bundle App

() App App App Splunk Web CLI App

App App App

Splunk Cloud App Splunk Cloud App

Splunk Cloud App Splunk Splunk Cloud App

Splunk L ight Splunk L ight

Splunk Light Splunk Light

App App

App Splunk Splunk Splunk

App apps App

Splunk Web App () App $SPLUNK_HOME/etc/users///local App App App

(App ) App (/)

App App

Splunk Splunk

[] Splunk App App App Fflanda Fflanda Fflanda

App App

$SPLUNK_HOME/etc/users///local/

$SPLUNK_HOME/etc/apps//local/

App

Splunk Splunk

App App Splunk Web

100

App DCA (B.conf)

1.1. A $SPLUNK_HOME/etc/users/C/D/B.conf $SPLUNK_HOME/etc/apps/D/local/B.conf

2.2.App local.meta A export = system

*Nix App fflandarhallen

1.1.[rhallen] $SPLUNK_HOME/etc/users/fflanda/unix/local/eventtypes.conf $SPLUNK_HOME/etc/apps/unix/local/eventtypes.conf

2.2.

[eventtypes/rhallen]

export = system

$SPLUNK_HOME/etc/apps/unix/metadata/local.meta

App export = system local.meta

App [App][App]> [App ]> [App ]

(/)

()

App inputs.conf App $SPLUNK_HOME/etc/apps/search/local/inputs.conf

App App

Splunk App Splunk Splunk

App App

Splunk AppApp App Splunk

App App App App App Splunk Web App

Splunk Web App/Splunk Web App/

Splunk Web Splunk

101

App [] > [[] > []] [] > [][] > [] [] > [][] > [] [] > [] [] > []

App App

App []

[]

App App

App

App App

App App

CLI App CLI App

CLI Splunk App

./splunk install app -update 1 -auth :

Splunk App

CLI App CLI App

CLI Splunk App

./splunk disable app [app_name] -auth :

Splunk Free

App App

App Splunk

1.1.() App Splunk AppApp Splunk CLI clean CLI

2.2.App $SPLUNK_HOME/etc/apps/ CLI

./splunk remove app [App ] -auth :

3.3.App () $SPLUNK_HOME/splunk/etc/users/*/

4.4.Splunk

App App

Splunk Enterprise App [App] [App][App] App App[App ]

App App /App App

102

App App

App

[App] > [App ][App] > [App ] App [][] Splunk Enterprise App

Splunk Web App

App

App

App HTMLJavaScript CSS 1

App Splunk Splunk Apps

Splunk Enterprise SplunkBase App App [] > [App] > [][] > [App] > []

Splunk Web App app.conf $SPLUNK_HOME/etc/apps//local/app.conf

[package]

check_for_updates = 0

app.conf App

103

Splunk Enterprise

Splunk Enterprise adminadmin admin changemechangeme Splunk

Splunk Enterprise 3 Splunk Enterprise

Splunk Enterprise

LDAPLDAPSplunk LDAP LDAP

API APISplunk RADIUS PAM

Splunk Enterprise

Splunk Enterprise

admin () -- power () -- ()user () -- can_delete -- delete

Splunk Enterprise

Splunk Web [] > [][] > [] [] [] [] Splunk Enterprise email=realname=roles=

Splunk

Splunk 2 2 2 en_USen_GB

Splunk

de_DE

104

en_GB

en_US

fr_FR

it_IT

ja_JP

ko_KR

zh_CN

zh_TW

Splunk

Splunk US English MM/DD/YYYY:HH:MM:SS British English DD/MM/YYYY:HH:MM:SS

Splunk Splunk URL Splunk URL http://host:port/locale/... Splunk URL http://hostname:8000/en-US/account/login URL http://hostname:8000/en-GB/account/login URL

Splunk Invalid language Specified

Splunk Splunk

Splunk 3

splunkweb splunkd

splunkweb splunkd Splunk

splunkweb splunkd Splunk Web

1.1.Splunk Web [][]

2.2.[] [][]

3.3.[]

4.4.[][]

5.5.[]

splunkweb splunkd 60Splunk Web

splunkweb splunkd web.conf (tools.sessions.timeout ) server.conf (sessionTimeout ) SplunkWeb (splunkweb) Splunk (splunkd) 2 web.conf tools.sessions.timeout 90() server.conf sessionTimeout 1h(1 60 ) 60

splunkweb/splunkd web.conf ui_inactivity_timeout Splunk 60 ui_inactivity_timeout 1

splunkweb/splunkd ui_inactivity_timeout splunkweb splunkd

105

splunkweb : 15m

splunkd : 20m

(ui_inactivity_timeout) 10m

25 (15m+10m) 25

Splunk Web Splunk

106

Splunk Enterprise Splunk Enterprise Splunkd Proxy Splunkd Proxy

HTTP/S splunkd HTTP/S splunkd splunkd

(splunkd) HTTP


Splunk Web SplunkBase Splunk REST API

Splunkd Splunkd

Splunkd HTTP

1.HTTP Splunk splunkd Splunk Enterprise

Apache 2.4

Apache 2.2

Squid 3.5

2.server.conf REST splunkd

TLS Proxying SSL

Spl

管理マニュアル Splunk Enterprise...

Documents

Transcript of 管理マニュアル Splunk Enterprise...