잠토의 잠망경

[Splunk] Study - 2월 21일(time 3) 본문

공부/Splunk

[Splunk] Study - 2월 21일(time 3)

잠수함토끼 2020. 2. 21. 14:41

trendtype

이동 평균선에 관한 것들(주식)

sourcetype="access_combined" action=purchase status=200 
| timechart span=2h sum(price) as sales 
| trendline sma2(sales) as trend

시각화
일반 > 다중계열모드: 아니오, 데이터 값 표시: 최소/최대
차트오버레이 > 오버레이: trend

iplocation

sourcetype="linux_secure" (fail* OR invalid)
| iplocation src_ip

※ 정확도가 낮다.(detail 능력이 떨어짐)

지도 그림

지도 그림 그리기

sourcetype="linux_secure" (fail* OR invalid)
| iplocation src_ip
| geostats globallimit=20 count by user

Choropleth Map geom

sourcetype="vendor_sales"
|stats count as sales by VendorCountry
|geom geo_countries featureIdField=VendorCountry

gauge

요즘은 잘 안씀(권장 안함)

sourcetype="linux_secure" vendor_action=failed
|stats count 
| gauge count 0 100 250 400

숫자

대표 숫자로 표기

sourcetype="linux_secure" vendor_action=failed
| stats count(vendor_action)

시각화 > single Value > 형식

timechart화

숫자가 대표로 나오고 밑에 차트가 나오는 형태(sparkline)

sourcetype="linux_secure" fail* OR invalid 
| timechart span=15m count(vendor_action)

시각화 > single Value > 형식

eval

sourcetype="cisco_wsa_squid" 
| stats sum(sc_bytes) as Bytes by usage
| eval bandwidth = Bytes/(1024*1024)
sourcetype="cisco_wsa_squid" 
| stats sum(sc_bytes) as Bytes by usage 
| eval bandwidth = round(Bytes/(1024*1024),2) 
| sort - bandwidth 
| rename bandwidth as "Bandwidth (MB)"
sourcetype="cisco_wsa_squid" 
| stats sum(sc_bytes) as Bytes by usage 
| eval bandwidth = round(Bytes/(1024*1024),2) 
| sort - bandwidth
| fields - Bytes

filed에서 특정 내용 빼기

sourcetype="linux_secure" vendor_action=*
| stats count(eval(vendor_action="Accepted")) as Accepted, count(eval(vendor_action="Failed")) as Failed

sql case 문 만들기

stats, tostring(String.format)

sourcetype="access_combined" 
|stats count(price) as NumberofLostSales, avg(price) as Average, sum(price) as total
| eval AvarageString = "$" + tostring(Average, "commas")
| eval TotalString = "$" + tostring(total, "commas")

String.format과 같은 역할(C#, python)

range

sourcetype="access_combined" 
| stats range(_time) by JSESSIONID
| sort 5 -sesstiontime
| eval duration = tostring(sessiontime, "duration")

범주

문자로 만들고 정렬

sourcetype="access_combined" 
|stats values(price) as price by product_name
|sort -price
|eval price = "$"+tostring(price)

아래와는 결과가 다르다.

sourcetype="access_combined" 
|stats values(price) as price by product_name
|eval price = "$"+tostring(price)
|sort -price

case

sourcetype="cisco_wsa_squid" 
| eval risk = case(x_wbrs_score >=5, "1 very safe", x_wbrs_score >=3, "3 very safe",  1==1, "etc")
| timechart count by risk

일반 case와 동일함

search, where

Comments