zoukankan      html  css  js  c++  java

  • Splunk Fundamentals 2 – Lab Exercises

    1、Lab Exercise 2 – Beyond Search Fundamentals

      1.1、搜索:index=web sourcetype=access_combined
    | table clientip action status

    2、Lab Exercise 3 – Commands for Visualizations

      2.1、搜索:index=security sourcetype=linux_secure vendor_action=failed

      2.2、搜索:sourcetype=linux_secure vendor_action=failed
    | chart count over vendor_action by src_ip #创建图表,通过ip展示每一个的动作

      2.3、搜索:index=security sourcetype=linux_secure vendor_action=failed
    | chart count over vendor_action by src_ip useother=f #将other去除掉

      2.4、搜索:index=sales sourcetype=vendor_sales VendorID<4000

      2.5、搜索:index=sales sourcetype=vendor_sales VendorID<4000
    | chart count over VendorCountry

      2.6、搜索:index=sales sourcetype=vendor_sales VendorID<4000
    | chart count over VendorCountry by product_name

      2.7、搜索:index=sales sourcetype=vendor_sales VendorID<4000
    | chart count over VendorCountry by product_name limit=5#选出前5

      2.8、搜索:index=sales sourcetype=vendor_sales VendorID<4000
    | chart count over VendorCountry by product_name limit=5 useother=f #将other去除掉

      2.9、搜索:index=network sourcetype=cisco_wsa_squid
    | timechart count by usage

      2.10、搜索:(index=web sourcetype=access_combined action=purchase status=200)

      2.11、搜索:(index=web sourcetype=access_combined action=purchase status=200) OR (index=sales
    sourcetype=vendor_sales)

      2.12、搜索:(index=web sourcetype=access_combined action=purchase status=200) OR (index=sales
    sourcetype=vendor_sales)
    | timechart span=1h count by sourcetype

      2.13、搜索:(index=web sourcetype=access_combined action=purchase status=200) OR (index=sales
    sourcetype=vendor_sales)
    | timechart span=1h count by sourcetype
    | rename access_combined as webSales, vendor_sales as retailSales

    3、Lab Exercise 4 – Advanced Visualizations

      3.1、搜索:index=security sourcetype=linux_secure fail*

      3.2、搜索:index=security sourcetype=linux_secure fail*
    | timechart span=1d count as failures

      3.2、搜索:index=security sourcetype=linux_secure fail*
    | timechart span=1d count as failures
    | trendline sma2(failures) as trend

      3.3、搜索:index=sales sourcetype=vendor_sales categoryId= "STRATEGY"

      3.4、搜索:index=sales sourcetype=vendor_sales categoryId= "STRATEGY"
    | timechart span=1d count

      3.5、搜索:index=sales sourcetype=vendor_sales VendorID < 3000

      3.6、搜索:index=sales sourcetype=vendor_sales VendorID<3000
    | chart count by VendorStateProvince
    | geom geo_us_states featureIdField=VendorStateProvince

      3.7、搜索:index=web sourcetype=access_combined action=purchase status=200

      3.8、搜索:index=web sourcetype=access_combined action=purchase status=200
    | iplocation clientip

      3.9、搜索:index=web sourcetype=access_combined action=purchase status=200
    | iplocation clientip
    | geostats count by clientip

      3.10、搜索:index=sales sourcetype=vendor_sales
    | stats count as "Units Sold" by VendorCountry

      3.11、搜索:index=sales sourcetype=vendor_sales
    | stats count as "Units Sold" by VendorCountry
    | addtotals col=t row=f labelfield="VendorCountry"

    4、Lab Exercise 5 – Filtering and Formatting Data

      4.1、搜索:index=web sourcetype=access_combined

      4.2、搜索:index=web sourcetype=access_combined
    | timechart sum(bytes) as bytes

      4.3、搜索:sourcetype=access_combined
    | timechart sum(bytes) as bytes
    | eval megabytes=bytes/(1024*1024)

      4.4、搜索:index=web sourcetype=access_combined
    | timechart sum(bytes) as bytes
    | eval megabytes=round(bytes/(1024*1024),2)

      4.5、搜索:index=web sourcetype=access_combined
    | timechart sum(bytes) as bytes
    | eval megabytes=round(bytes/(1024*1024),2)
    | fields - bytes

      4.6、搜索:index=web sourcetype=access_combined

      4.7、搜索:index=web sourcetype=access_combined
    | chart count over host by method

      4.8、搜索:index=web sourcetype=access_combined
    | chart count over host by method
    | eval Ratio=GET/POST

      4.9、搜索:index=web sourcetype=access_combined
    | chart count over host by method
    | eval Ratio=round(GET/POST,2)

      4.10、搜索:index=security sourcetype=linux_secure fail*

      4.11、搜索:index=security sourcetype=linux_secure fail*
    | stats count by user

      4.12、搜索:index=security sourcetype=linux_secure fail*
    | stats count by user
    | search count>3
    | sort -count

      4.13、搜索:index=network sourcetype=cisco_wsa_squid

      4.14、搜索:index=network sourcetype=cisco_wsa_squid
    | stats count by http_content_type

      4.15、搜索:index=network sourcetype=cisco_wsa_squid
    | stats count by http_content_type
    | eval type=if(http_content_type LIKE "image%","graphic","other")

      4.16、搜索:index=network sourcetype=cisco_wsa_squid
    | stats count by http_content_type
    | eval type=if(http_content_type LIKE "image%","graphic","other")
    | stats sum(count) as total by type

      4.17、搜索:(index=web sourcetype=access* action=purchase status=200) OR (index=sales
    sourcetype=vendor_sales)

      4.18、搜索:(index=web sourcetype=access* action=purchase status=200) OR (index=sales
    sourcetype=vendor_sales)
    | chart count(productId) as Count over product_name by sourcetype

      4.19、搜索:(index=web sourcetype=access* action=purchase status=200) OR (index=sales
    sourcetype=vendor_sales)
    | chart count(productId) as Count over product_name by sourcetype
    | where access_combined > vendor_sales*2

      4.20、搜索:(index=web sourcetype=access* action=purchase status=200) OR (index=sales
    sourcetype=vendor_sales)
    | chart count(productId) as Count over product_name by sourcetype
    | search access_combined > vendor_sales*2 #无结果

    5、Lab Exercise 6 – Correlating Events

      5.1、搜索:index=web sourcetype=access_combined

      5.2、搜索:index=web sourcetype=access_combined
    | table _time, clientip, JSESSIONID, action

      5.3、搜索:index=web sourcetype=access_combined action=*
    | table _time, clientip, JSESSIONID, action

      5.4、搜索:index=web sourcetype=access_combined action=*
    | transaction JSESSIONID

      5.5、搜索:index=web sourcetype=access_combined action=*
    | transaction JSESSIONID
    | table JSESSIONID, clientip, action

      5.6、搜索:index=web sourcetype=access_combined action=*
    | transaction JSESSIONID
    | table JSESSIONID, clientip, action
    | search action=purchase

      5.7、搜索:index=web sourcetype=access_combined action=*
    | transaction JSESSIONID
    | table JSESSIONID, clientip, duration, eventcount, action
    | search action=purchase

      5.8、搜索:index=web sourcetype=access_combined action=*
    | transaction JSESSIONID
    | table JSESSIONID, clientip, duration, eventcount, action
    | search action=purchase
    | eval durationMinutes=round(duration/60,1)

      5.9、搜索:index=web sourcetype=access_combined action=*
    | transaction JSESSIONID
    | search action=purchase
    | eval durationMinutes=round(duration/60,1)
    | table JSESSIONID, clientip, action, durationMinutes, eventcount
    | where durationMinutes > 1

      5.10、搜索:index=web sourcetype=access_combined
    | transaction clientip

      5.11、搜索:index=web sourcetype=access_combined
    | transaction clientip startswith=action="addtocart" endswith=action="purchase"

      5.12、搜索:index=web sourcetype=access_combined
    | transaction clientip startswith=action="addtocart" endswith=action="purchase"
    | table clientip, JSESSIONID, product_name, action, duration, eventcount, and price

      5.13、搜索:(index=web sourcetype=access_combined) OR (index=network sourcetype=cisco_wsa_squid) status>399
    | fields sourcetype status

      5.14、搜索:(index=web sourcetype=access_combined) OR (index=network sourcetype=cisco_wsa_squid) status>399
    | fields sourcetype status
    | transaction status maxspan=5m

      5.15、搜索:(index=web sourcetype=access_combined) OR (index=network sourcetype=cisco_wsa_squid) status>399
    | fields sourcetype status
    | transaction status maxspan=5m
    | search sourcetype=access_combined AND sourcetype=cisco_wsa_squid

      5.16、搜索:(index=network sourcetype=cisco_wsa_squid) OR
    (index=web sourcetype=access_combined) status>399
    | fields sourcetype, status
    | transaction status maxspan=5m
    | search sourcetype=access_combined AND sourcetype=cisco_wsa_squid
    | timechart count by status

      5.17、搜索:(index=network sourcetype=cisco_wsa_squid) OR
    (index=web sourcetype=access_combined) status>399
    | fields sourcetype, status
    | transaction status maxspan=5m
    | search sourcetype=access_combined AND sourcetype=cisco_wsa_squid
    | timechart count by status
    | addtotals
    | search Total>4

      5.18、搜索:(index=network sourcetype=cisco_wsa_squid) OR
    (index=web sourcetype=access_combined) status>399
    | fields sourcetype, status
    | transaction status maxspan=5m
    | search sourcetype=access_combined AND sourcetype=cisco_wsa_squid
    | timechart count by status
    | addtotals
    | search Total>4

    6、Lab Exercise 8: Field Extractions

      6.1、Search for all events in the last 24 hours for the linux_secure sourcetype that contain the keyword
    port.                                                         index=security sourcetype=linux_secure port

      6.2、Wait for about 30 seconds, then search for events in the linux_secure sourcetype in the last 24 hours.
    List the top ports by IP address.
    index=security sourcetype=linux_secure | top port by src     

      6.3、Search for all events in the last 30 days for the SimCubeBeta sourcetype in the games index.

    7、Lab Exercise 11: Creating and Using Macros

      7.1、Using the stats command, create a table showing the total retail sales for each product sold in Europe
    (combining sales from Germany, France, and Italy) over the Last 30 days and rename the total sales
    column as USD.
    index=sales sourcetype=vendor_sales VendorCountry=Germany OR VendorCountry=France OR
    VendorCountry=Italy | stats sum(price) as USD by product_name

      7.2、Using the eval command, convert the numeric values in the total sales column to strings and concatenate
    them with a $ sign.

    index=sales sourcetype=vendor_sales VendorCountry=Germany OR VendorCountry=France OR
    VendorCountry=Italy | stats sum(price)  as USD by product_name
    | eval USD="$"+tostring(USD,"commas")

      7.3、Run the following search to determine total sales for each product from vendors in Europe in the last 30
    days:
    sourcetype=vendor_sales VendorCountry=Germany OR VendorCountry=France OR
    VendorCountry=Italy
    | stats sum(price) as USD by product_name
    | eval euro = "€" + tostring(round(USD*0.79,2), "commas"), USD = "$" +
    tostring(USD, "commas")

      7.4、To make things easy for the user, the currency, currency symbol and exchange rate are arguments. Enter
    the following search string (the arguments are encapsulated by the $ signs):
    stats sum(price) as USD by product_name
    | eval $currency$="$symbol$".tostring(round(USD*$rate$,2),"commas"),USD="$" +
    tostring(USD,"commas")

      7.5、Perform a search for sourcetype=vendor_sales where the VendorCountry is Germany, France, or
    Italy. Use the macro and pass the arguments euro, €, and 0.79 for results in the Last 30 days.
    Hint: `convert_sales(currency,symbol,rate)`
    index= sales sourcetype=vendor_sales VendorCountry=Germany OR VendorCountry=France OR
    VendorCountry=Italy | `convert_sales(euro,€,.79)`
  • 相关阅读:
    64位内核开发第十二讲,进程监视,ring3跟ring0事件同步.
    64位内核开发第十讲,IRQL中断级别了解
    64位内核开发第九讲,注册表编程.
    64位内核开发第8讲,文件操作.以及删除文件.
    64位内核第七讲.内核中字符串编程注意事项
    【Unity】7.5 移动设备输入
    【Unity】7.4 游戏外设输入
    【Unity】7.3 键盘输入
    【Unity】7.2 鼠标输入
    【Unity】7.1 Input类的方法和变量
  • 原文地址:https://www.cnblogs.com/fumy/p/11727681.html
Copyright © 2011-2022 走看看