Posted on

splunk search

index=* host=* |where (NOT cidrmatch(“10.0.0.0/8”,dst) AND NOT cidrmatch(“172.16.40.0/24”,dst)) | top dst
top clientip|fields clientip count |rename clientip as “攻击源” |rename count as “攻击次数” (删除最后一个percent百分比字段)
top clientip|fields – percent |rename clientip as “攻击源” |rename count as “攻击次数” | fields
source=”tutorialdata.zip:*” index=”tutorialdata” host=”www1″ | table _time,clientip,status
source=”tutorialdata.zip:*” index=”tutorialdata” host=”www1″ | table _time,clientip,status|sort -clientip,+status
stats count() :括号中可以插入字段,主要作用对事件进行计数

stats dc():distinct count,去重之后对唯一值进行统计

stats values(),去重复后列出括号中的字段内容

stats list(),未去重之后列出括号指定字段的内容

stats avg(),求平均值
source=”tutorialdata.zip:*” index=”tutorialdata” host=”www1″|stats count(clientip)
index=”tutorialdata” sourcetype=”access_combined_wcookie” status=200 “action=purchase” |stats dc(clientip)
index=”tutorialdata” sourcetype=”access_combined_wcookie” |stats values(host) as “主机列表”
index=”tutorialdata” sourcetype=”access_combined_wcookie” status=200 “action=purchase” |stats list(host)
用于制作图表的表格输出中返回结果。
index=”tutorialdata” sourcetype=”access_combined_wcookie” status=200 “action=purchase” | chart count by host
index=”tutorialdata” sourcetype=”access_combined_wcookie” status=200 “action=purchase” | timechart count by host

index=”tutorialdata” sourcetype=”access_combined_wcookie” status=200 “action=purchase” | timechart span=8h count by host

index=”tutorialdata” sourcetype=”access_combined_wcookie” “action=purchase” status=200 clientip=”87.194.216.51″|stats count dc(productId),values(productId) by clientip
(搜成功购买,状态为200,IP为:87.194.216.51,统计购买产品的数量,并且去重复地列出具体的名称,最后通过clientip排序显示)

… |where (NOT cidrmatch(“10.52.0.0/24”,ipfield) AND NOT cidrmatch(“10.52.40.0/24″,ipfield))|table ipfield

#统计4xx和5xx事件数

index=”apachedata” sourcetype=”access_combined_wcookie” status > 200 | stats count by status

统计4xx和5xx事件的时间趋势图(折线图、面积图、柱状图) ,可视化为line chart图形

index=”apachedata” sourcetype=”access_combined_wcookie” status>200 | timechart count by status
a
200表示“成功”,其他均为“错误”,统计事件数量

eval命令和if函数 eval-对表达式进行计算并将结果存储在某个字段中

if (条件,True的结果,False的结果)

index=”apachedata” sourcetype=”access_combined_wcookie” | eval success=if(status==200,”成功”,”错误”)| timechart count by sucess

制作每一个主机的200、400和500事件数的对比图

200标记为“成功”,400标记为“客户端错误”,500标记为“服务器错误”,保存为column chart可视化图,另存现有仪表面板

index=”apachedata” sourcetype=”access_combined_wcookie” | chart count(eval(status==200)) as “成功”, count(eval((400500 OR status==500)) as “服务器错误” by host

.列出用户最常用的5种浏览器,可视化为Pie chart图,另存为现有仪表盘

index=apache sourcetype=”access_combined_wcookie” | top useragentlimit=5
通过IP地址获取地区、国家、城市等信息

iplocation: 使用3rd-party数据库解析IP地址的位置信息

index=”apachedata” sourcetype=”access_combined_wcookie” | top 10 clientip|iplocation clientip

每台服务器的GET和POST请求的对比图,并且另存为仪表板

index=”apachedata” sourcetype=”access_combined_wcookie”|timechart count(eval(method==”GET”)) as “GET请求”,count(eval(method==”POST”)) as “POST请求” by host