Splunk Fundamentals 1 Lab Exercises

zoukankan html css js c++ java

Splunk Fundamentals 1 Lab Exercises

换工作到新公司了，上级安排的第一个任务就是到splunk官网看视频学习，以下是一些记录笔记。

splunk官网登录url：https://www.splunk.com/page/sign_up

1、lab3

　　1.1、直接到官网下载好安装包后，放到/opt 目录下，解压缩。

　　1.2、启动splunk：切换到splunk的bin目录下，然后sudo ./splunk start –-accept-license启动。

2、lab4 -ingesting data

　　2.1、下载文件：http://splk.it/f1data

　　2.2、依次上传acc、db_audit、linux三个文件

3、lab5 -searching

　　3.1、搜索：error OR fail*

　　3.2、搜索：fail* AND password"port 22"

　　3.2、更改"JOB"menu，将读写权限改为everyone，时间改为7days

4、lab6 -using field in searches

　　4.1、搜索：index=main sourcetype=access_combined_wcookie action=purchase 所有时间

5、lab8 -Basic commands

　　5.1、搜索：host= web_application action=purchase status=200

　　5.2、搜索：host=web_application action=purchase status=200 file=success.do

　　5.3、搜索：host=web_application action=purchase status=200 file=success.do
|fields action,JSESSIONID,status

　　5.4、搜索：host=web_application action=purchase status=200 file=success.do
|table JSESSIONID,action,status

　　5.5、搜索：host=web_application action=purchase status=200 file=success.do
| table JSESSIONID,action,status
|rename JSESSIONID AS "user sessions"

　　5.6、搜索：host=web_application action=purchase status=200 file=success.do
| table JSESSIONID,action,status
| rename JSESSIONID AS "user sessions"
|sort "user sessions"

　　5.7、搜索：host=web_application action=purchase status=200 file=success.do
| table JSESSIONID action status
| rename JSESSIONID AS "user sessions"
|dedup "user sessions"

　　5.8、搜索：host=web_application action=purchase status=200 file=success.do
| table JSESSIONID
| rename JSESSIONID AS "user sessions"
|dedup "user sessions"

　　5.9、搜索：index=main sourcetype=access_combined_wcookie action=purchase status=200

　　5.11、搜索：index=main sourcetype=access_combined_wcookie action=purchase status=200 file=success.do

　　5.12、搜索：index=main sourcetype=access_combined_wcookie action=purchase status=200 file=success.do
|fields action JSESSIONID status

　　5.13、搜索：index=main sourcetype=access_combined_wcookie action=purchase status=200 file=success.do
|table action JSESSIONID status

　　5.14、搜索：index=main
sourcetype=access_combined_wcookie action=purchase status=200 file=success.do | table JSESSIONID,
action, status

　　5.13、搜索：index=main sourcetype=access_combined_wcookie action=purchase
status=200 file=success.do | table JSESSIONID, action, status | rename JSESSIONID as UserSessions

　　5.14、搜素：index=main sourcetype=access_combined_wcookie
action=purchase status=200 file=success.do | table JSESSIONID, action, status | rename JSESSIONID as
UserSessions | sort UserSessions

　　5.15、搜索：index=main
sourcetype=access_combined_wcookie action=purchase status=200 file=success.do | dedup
JSESSIONID | table JSESSIONID, action, status | rename JSESSIONID as UserSessions

　　5.16、搜索：index=main
sourcetype=access_combined_wcookie action=purchase status=200 file=success.do | dedup
JSESSIONID | table JSESSIONID | rename JSESSIONID as UserSessions

6、lab9 -Transforming Commands

　　6.1、搜索：index=main sourcetype=access_combined_wcookie file=success.do

　　6.2、搜索：index=main sourcetype=access_combined_wcookie action=purchase file=success.do
|top productId

　　6.3、搜索：index=main sourcetype=access_combined_wcookie action=purchase file=success.do
|top productId limit=5

　　6.4、搜索：index=main sourcetype=access_combined_wcookie file=success.do
|top productId limit=5 showperc=false

　　6.5、搜索：index=main sourcetype=access_combined_wcookie status=200

　　6.6、搜索：index=main sourcetype=access_combined_wcookie status=200
|rare file

　　6.7、搜索：index=main sourcetype=access_combined_wcookie status=200|rare file by date_month

　　6.8、搜索：index=main sourcetype=access_combined_wcookie file=success.do OR file=cart.do status=200

　　6.9、搜索：index=main sourcetype=access_combined_wcookie file=success.do OR file=cart.do status=200
|stats count by file

　　6.10、搜索：index=main sourcetype=access_combined_wcookie file=success.do OR file=cart.do status=200
| stats count by file
|rename count as Transactions 或index=main sourcetype=access_combined_wcookie file=success.do OR file=cart.do status=200 | stats
count as Transactions by file

　　6.11、搜索：index=main sourcetype=access_combined_wcookie file=success.do OR file=cart.do status=200
| stats count as Transactions by file
|rename file as Function

　　6.12、搜索：index=main sourcetype=access_combined_wcookie
|stats dc(JSESSIONID) #找出会话数量并将重复的去处

　　6.13、搜索：index=main sourcetype=access_combined_wcookie
|stats dc(JSESSIONID) as Logins #将JSESSIONID命名为Login

　　6.14、搜索：index=main sourcetype=access_combined_wcookie
|stats dc(JSESSIONID) as Logins by clientip #以clientip分割出Login

　　6.15、搜索：index=main sourcetype=access_combined_wcookie
| stats dc(JSESSIONID) as Logins by clientip
|sort -Logins #将上一步取到的结果排序

　　6.16、搜索：index=main sourcetype=access_combined_wcookie status=200

　　6.17、搜索：index=main sourcetype=access_combined_wcookie status=200
|stats sum(bytes) as TotalBytes #查找所有带宽并命名为TotalBytes

　　6.18、搜索：index=main sourcetype=access_combined_wcookie status=200
|stats sum(bytes) as TotalBytes by file #以file分割出TotalBytes

　　6.19、搜索：index=main sourcetype=access_combined_wcookie status=200
| stats sum(bytes) as TotalBytes by file
|sort file #排序file名

　　6.20、搜索：index=main sourcetype=access_combined_wcookie status=200
| stats sum(bytes) as TotalBytes by file
|sort TotalBytes #将所用的带宽排序

　　6.21、搜索：index=main sourcetype=db_audit
|stats avg(Duration) #查看所有平均请求时间

　　6.22、搜索：index=main sourcetype=db_audit
|stats avg(Duration) as "time to complet" by Command #将Duration 重命名为time to complete 并以Command分割

　　6.23、搜索：index=main sourcetype=db_audit
| stats avg(Duration) as "time to complete" by Command
|sort -"time to complete" #排序

　　6.24、搜索：index=main sourcetype=access_combined_wcookie
|stats list(useragent) #以useragent生成列表

　　6.25、搜索：index=main sourcetype=access_combined_wcookie | stats values(useragent) as "Agents used"#重命名

　　6.26、搜索：index=main sourcetype=access_combined_wcookie | stats values(useragent) as "Agents used" count as
"Times used" by useragent

　　6.27、搜索：index=main sourcetype=access_combined_wcookie | stats values(useragent) as "Agents used" count as
"Times used" by useragent | table "Agents used", "Times used"

7、lab10 -Creating Reports and Dashbords

　　7.1、搜索：index=main sourcetype=access_combined_wcookie status=403

　　7.2、搜索：index=main sourcetype=access_combined_wcookie status=403
|stats count as attempts by clientip #重命名并计数

　　7.3、搜索：index=main sourcetype=access_combined_wcookie status=403
| stats count as attempts by clientip
|sort -attempts #排序

　　7.4、搜索：index=main sourcetype=access_combined_wcookie status=200 file=success.do

　　7.5、搜索：index=main sourcetype=access_combined_wcookie status=200 file=success.do
|stats count by productId

8、lab11 - Using Pivot with Solutions

　　8.1、搜索：index=main sourcetype=access_combined_wcookie

9、lab12 -Creating Lookups with Solutions

　　9.1、搜索：| inputlookup products_lookup

　　9.2、搜索：index=main sourcetype=access_combined_wcookie file=success.do status=200

　　9.3、搜索：index=main sourcetype=access_combined_wcookie status=200 file=success.do
| lookup products_lookup productId as productId OUTPUT product_name as ProductName

　　9.4、搜索：index=main sourcetype=access_combined_wcookie status=200 file=success.do
| lookup products_lookup productId as productId OUTPUT product_name as ProductName
| stats count by ProductName

　　9.5、搜索：index=main sourcetype="access_combined_wcookie" file=success.do status=200 | stats sum(Price) as
Revenue by ProductName

　　9.6、搜索：index=main sourcetype="access_combined_wcookie" file=success.do status=200 | stats sum(Price) as
Revenue by ProductName | sort -Revenue

10、lab13 - Creating Alerts with Solutions

　　10.1、搜索：index=_audit action="login attempt" info=failed user=syntek #搜索登录失败events

查看全文

相关阅读:
shiro的授权与认证
 spring-aop
GC选择之串行收集与并行收集
 4. Tomcat调优
 spring boot 启动开启注解加载 bean
一、JavaScript实现AJAX(只需四步)
DVWA安装
 CTF入门指南
 Metasploit 学习
 JSP笔记

原文地址：https://www.cnblogs.com/fumy/p/11686612.html