Splunk-SPL

fail* => fail, failure, failed, ...

Booleans => NOT, OR, AND
failed NOT password => 有failed, 没有password
failed OR password => 有failed, 或password
failed AND password = failed password => 有failed和password
failed NOT (success OR accepted) => 有failed, 且没有success OR accepted

filed => a表示string, #表示numerical
selected fields => 资料都有存在的栏位
interesting fields => 多数资料可能存在的栏位 (至少20%)

filed in Search
sourcetype=linux_secure => search the data which sourcetype is linux_secure
sourcetype!=linux_secure => search the data which sourcetype isn't linux_secure
=, != => numerial or string

, >=, <, <= => numerial

Search example
sourcetype=linux_secure action=failure NOT host=mail* = sourcetype=linux_secure action=failure host!=mail*
(index=web OR index=security) status!=200 != (index=web OR index=security) NOT status=200
WHY?
index=web (status=500 OR status=503 OR status=505) = index=web status IN ("500","503","505")

Search by time
sourcetype=access_combined earliest=-2h latest=-1h

Search Syntax
Search Terms, Commands(blue), Functions(purple), Arguments, Clauses(orange)
----- ------------
sourcetype=acc* status=200 | stats list(product_name) as "Games Sold" | top "Games"

                       |<----------------------------------------->| Pipes

Boolean operator and command modifier(orange)
Commands arguments(green) => time

ctrl + \ => Enter
Preferences can setting Editor

Field Command
| fields status clientip => only show two field
| fields - status clientip => remove this two field

Table Command
| table fieldname1, filedname2, fieldname3 => show table

Rename Command
| rename fieldname1 as "newfieldname1" fieldname2 as "newfieldname2" ...
rename will rename the field name, so output use need new field name
=> | rename fieldname1 as "newfieldname1" | field "newfieldname1" => it work

Dedup Command
|dedup Username => username field value do distinct work
|dedup field1 field2 => find distinct value by two fields

Sort Command
| sort field => small 2 big
| sort - field => big 2 small
| sort field1 field2 => sort field1 and then field2
Using limit argument
| sort field limit=20 => search 20 data

ch9
Transforming Commands => Order search results into a data table for statistical purposes.
Top Command
| top Vendor => top 10 by Vendor field
| top Vendor limit=20 => change to top 20 by Vendor field
Top Command Clauses
limit=int
countfield=string => change fieldname
percentfield=string => change fieldname
showcount=True/False => open or close count
showperc=True/False => open or close percent
showother=True/False
useother=True/False => open or close other
otherstr=string
Using the "by" Clause
| top fieldname by Vendor limit=3 => top fieldname limit 3 by Vendor

Rare Command => top reverse

Stats Command
count => total
distunct count => distinct total
sum
average
min
max
list => list values of field
values => unique values of a field
| stats count => total
| stats count as newfieldname => newfieldname and count
| stats count as newfieldname by filedname2, filedname3 => filedname2, filedname3 and newfieldname value is count
| stats count(field) as fieldEvent, count as "TotalEvent" => fieldEvents, totalEvent value all count
| stats distunct(field) as "newfield" by field2 = |stats dc(field) as ...
| stats sum(field) as "newfield" by field2
| stats avg(field) as "newfield"
| stats min(field) as "newfield"
| stats max(field) as "newfield"
| stats list(field) as "newfield" by field2
| stats values(field) by field2

Ch10 Reports and Dashboards
Share or save search in the future => Report
Click Save as, and choose report

每次搜寻完都可以按virtualization产生图表,并且可以存成Report,图表可以透过Line Chart, Format等等变换

Then click Save As, and choose Dashboard Panel
Dashboard有New跟Existing选项可以选, 可以选Existing後，再往下选之前的Dashboard
在View画面中案Edit可以拖拉自行排Dashboard, 也可以将Report加入Dashboard
此外还能透过AddInput让Dashbord变成GUI，在新增完图表後，要按EditSearch选inlineSearch

Ch11
Pivot(枢纽) and Datasets
Data Models (admin, power) => knowledge objects that provide the data struture that drives Pivot.Datasets like virtual table

Web upper settings, and select Data models => 透过枢纽後产生的结果在变成report or insert to dashboard

Data models are made up of Datasets

Ch12 Lookups
类似vlookup的概念
a lookup is categorized as a Dataset.
two step to use, 1. Define a lookup table 2. define lookup.
Optionally configure your lookup to run automatically.(可以自动化配置)
Lookup field values are case-sensitive by default.(默认情况下，查找字段值区分大小写)

Create lookup table: Web upper Settings select Lookups, click lookup table files add new.
Define lookup: Web upper Settings select Lookups, click define lookup add new.

The lookup command
index=web sourcetype=access_combined NOT status=200 | lookup http_status code(对照http_status表的code栏位) as status(根据这个key)
结果会有http_status的description栏位

index=web sourcetype=access_combined NOT status=200 | lookup http_status code as status, OUTPUT code as "HTTP Code", description as "HTTP Description" => 结果就会将每笔资料的code显示，并使用HTTP Code栏位命名，description则以HTTP Description命名

Create automatic lookups
Web upper Settings select Lookups, click Automatic lookups add new.

Ch13 Schedule Report and Alert
intro:根据时间产生report 并且 mail 通知

Create schedule report: search後按Save as选Report，最下面的 Time Range Picker 选No，下一页选Schedule，勾起Schedule Report check box，即可开始选Schedule相关参数.
Running concurrent reports, and the searches behind them, can put a big demand on your system hardware, even if everythong is configured to the recommended specs.(运行并发报告及其背後的搜索，可能会对系统硬件提出很大的要求，即使将所有人都配置为建议的规格。)
Includ a Schedule Window only if the report doesn't have to start at a specific time...and you're ok with the delay.(仅在报表不必在特定时间开始时才包括“计划窗口” ...并且您可以接受延迟。)
最後可以选Action决定Schedule report完成後该怎麽告知

Manage Schedule Report
Web upper Settings select "Searches, reports and alerts"即可到管理叶面，可以Edit或利马Run。 或是Web upper left App, select "App: Search & Report", select Reports, 再选自己的Report, 再由右上角去Edit之类的。
Embedding Report可以share URL给其他人看到
An Embedded Report will not show data until the scheduled search is run
也可将Report加入dashboard

Alerts
Notify you when the results of a search meet defined conditions.(搜索结果符合定义条件时通知您)
Triggered when search is completed.
Action 非常多

Create Alert
先Search选Save as选Alerts，并开始选择
Alert type:
Schedule: allows you to set a schedule and time range for the search to be run.(允许您设置运行搜索的时间表和时间范围)
realtime: will run the search continuously in the background. As soon as alert conditions are satisfied an action is triggered.(将在後台连续运行搜索，一旦满足警报条件，便会触发操作)
run continuously and can place more overhead on system performance
Alert trigger後可以再选Action

View, Edit & Manage Alerts:
Web upper right "Activity", select "Triggered Alerts"