event: 其实是一条记录,跟数据库表的一条记录是类似的,不同之处在于这些数据原来都是没有字段名,而Splunk规范一些field来标记这条记录,像host,source,sourcetype,time这些filed,这些filed是在数据源提取时候利用定义的。
host: 标记来源于那台虚拟或物理机子。
source: 标记来源那个数据流,比如一个文件。
sourcetype: 归类source类型。
field: 由于数据一般是以逗号做分割,然后没有明确表示每个值是什么意思,你可以在这个页面对
N个值给N个filed name,方便可读和查询。可以类似index=”artraw” sourcetype=”artraw-csv”查出最原始的Event之后,点击这个做自定fitter。
Index: 类似数据库的表,virtual index还包含提取程序定义等。
Search: 通过SPL从index里获取,判断,转换等形成想要的数据。
Pivot: 不直接用SPL去生成结果,这个feature可在UI生成想要的report或图表等,但需要预先提供dataset,datamodel.
Report: 由前面两个features形成,可以在特殊情况(可定时)下生成Alert.
Alert: 在特殊情况下想做一些action,如发Email,调用script,python,Java都可以。
Dashboard: 由多个panel组成,用于将多个report或图表放在一起,还提供一个全局变量存储,里面定义的search 可以以这些变量做为条件等做关联。
other: splunk还提供一些分布式查询,instance之间的数据forward等分布式功能的feature.
SPL(Search Processing Language): SPL其实是从每个index里面拿出数据,处理一个阶段的结果再通过”|”将结果作为input交给下个阶段做处理,这样就变成串行的处理,如果你希望从不同两个数据流获取结果,可以子查询达到并行效果,Splunk的features基本都是以它作为基石。
SQL与SPL转换可参考这个:
http://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/SQLtoSplunk
具体查询规则其实splunk有提供很好的文档,而且也提供了中文文档,改改版本号就可以:
http://docs.splunk.com/Documentation/Splunk/6.6.3
http://docs.splunk.com/Documentation/Splunk/6.6.3/Translated/SimplifiedChinesemanuals
Splunk Search Manual 里面由很详细, 包括search 机制,UI操作,语法,优化等, Search Reference里由讲解可用的方法来配合search 文档。
对于生成图表类型,可以在可视化哪里选择,你只需生成所需的数据就好。
像这条就可以生成柱状图,饼状图
source="data.json" host="hln2083p" index="testloginstatus" sourcetype="_json" |chart count by status |eval status=if(status=="true","Normal Login","Abnormal Login") | rename count as "Amount"
还有一些比较复杂的report SPL的example
这里面的变量的值都是来自于Dashboard里的UI绑定的,主要是弄一些summary,总数,比率等,这种写法从相同的流里做多种判断,合出多个结果,不用从重新提取,也不需要用子查询(会比父先查,而且是隔开的,最后合并)。
index="artraw" sourcetype="artraw-csv"| where !isnull(ELAPSED_TIME) | where APPLICATION_NAME = if($INPUT_APPLICATION_NAME$=="*",APPLICATION_NAME,$INPUT_APPLICATION_NAME$) | where MODULE_NAME = if($INPUT_MODULE_NAME$=="*",MODULE_NAME,$INPUT_MODULE_NAME$) | where SERVICE_NAME = if($INPUT_SERVICE_NAME$=="*",SERVICE_NAME,$INPUT_SERVICE_NAME$) | stats count as "TOTAL_TRANSATION", avg(ELAPSED_TIME) as "AVERAGE_RESPONSE_TIME", count(eval(if(ELAPSED_TIME <= 5,1,NULL))) AS "LESS_THAN_5s", count(eval(if(ELAPSED_TIME <= 10 AND ELAPSED_TIME >= 5,1,NULL))) AS "BETWEEN_5s_TO_10s", count(eval(if(ELAPSED_TIME <= 15 AND ELAPSED_TIME >= 10,1,NULL))) AS "BETWEEN_10s_TO_15s", count(eval(if(ELAPSED_TIME <= 20 AND ELAPSED_TIME >= 15,1,NULL))) AS "BETWEEN_15s_TO_20s",count(eval(if(ELAPSED_TIME >= 20,1,NULL))) AS "MORE_THAN_20s" by APPLICATION_NAME,MODULE_NAME,SERVICE_NAME | where TOTAL_TRANSATION >= $INPUT_TOTAL_TRANSATION$ | eval RATE_LESS_THAN_5s=substr(tostring(LESS_THAN_5s/TOTAL_TRANSATION*100),1,4)+"%" | eval RATE_BETWEEN_5s_TO_10s=substr(tostring(BETWEEN_5s_TO_10s/TOTAL_TRANSATION*100),1,4)+"%" | eval RATE_BETWEEN_10s_TO_15s=substr(tostring(BETWEEN_10s_TO_15s/TOTAL_TRANSATION*100),1,4)+"%" | eval RATE_BETWEEN_15s_TO_20s=substr(tostring(BETWEEN_15s_TO_20s/TOTAL_TRANSATION*100),1,4)+"%" | eval RATE_MORE_THAN_20s=substr(tostring(MORE_THAN_20s/TOTAL_TRANSATION*100),1,4)+"%" | table APPLICATION_NAME,MODULE_NAME,SERVICE_NAME,TOTAL_TRANSATION,AVERAGE_RESPONSE_TIME,LESS_THAN_5s,RATE_LESS_THAN_5s,BETWEEN_5s_TO_10s,RATE_BETWEEN_5s_TO_10s,BETWEEN_10s_TO_15s,RATE_BETWEEN_10s_TO_15s,BETWEEN_15s_TO_20s,RATE_BETWEEN_15s_TO_20s,MORE_THAN_20s,RATE_MORE_THAN_20s
这个是每条数据的细节
index="artraw" sourcetype="artraw-csv" | where APPLICATION_NAME = if($INPUT_APPLICATION_NAME$=="*",APPLICATION_NAME,$INPUT_APPLICATION_NAME$) | where MODULE_NAME = if($INPUT_MODULE_NAME$=="*",MODULE_NAME,$INPUT_MODULE_NAME$) | where SERVICE_NAME = if($INPUT_SERVICE_NAME$=="*",SERVICE_NAME,$INPUT_SERVICE_NAME$) | eval CREATION_TIME(HKT)=strftime((strptime(CREATION_TIME, "%Y-%m-%d %H:%M:%S.%N") + 28800),"%Y-%m-%d %H:%M:%S.%N") | table UUID SERVER_ID APPLICATION_NAME MODULE_NAME SERVICE_NAME USER_ID CLIENT_ID ELAPSED_TIME IS_INTERRUPTED CREATION_TIME(HKT)
这个是用来比较不同时期之间的数据
index="artraw" sourcetype="artraw-csv" earliest=-3w | where !isnull(ELAPSED_TIME) | where APPLICATION_NAME=if($APPLICATION_NAME$=="*",APPLICATION_NAME,$APPLICATION_NAME$) | where MODULE_NAME=if($MODULE_NAME$=="*",MODULE_NAME,$MODULE_NAME$) | where SERVICE_NAME=if("$SERVICE_NAME$"=="*",SERVICE_NAME,"$SERVICE_NAME$") | eval CREATION_TIME=strptime(CREATION_TIME, "%Y-%m-%d %H:%M:%S.%N") + 28800 | eval CREATION_TIME_CURR_START=mvindex(split("$COMPARISON_TIME_RANGE$","#"),0) | eval CREATION_TIME_PERV_END=mvindex(split("$COMPARISON_TIME_RANGE$","#"),1) | stats count(eval(if(CREATION_TIME > now() - tonumber(CREATION_TIME_CURR_START),1,NULL))) as "CURRENT_TOTAL_TRANSATION", avg(eval(if(CREATION_TIME > now() - tonumber(CREATION_TIME_CURR_START),ELAPSED_TIME,NULL))) as "CURRENT_AVERAGE_RESPONSE_TIME", count(eval(if(CREATION_TIME < now() - tonumber(CREATION_TIME_CURR_START) AND CREATION_TIME > now() - tonumber(CREATION_TIME_PERV_END),1,NULL))) as "PERVIOUS_TOTAL_TRANSATION", avg(eval(if(CREATION_TIME < now() - tonumber(CREATION_TIME_CURR_START) AND CREATION_TIME > now() - tonumber(CREATION_TIME_PERV_END),ELAPSED_TIME,NULL))) as "PERVIOUS_AVERAGE_RESPONSE_TIME" by APPLICATION_NAME,MODULE_NAME,SERVICE_NAME | table APPLICATION_NAME,MODULE_NAME,SERVICE_NAME,CURRENT_TOTAL_TRANSATION,CURRENT_AVERAGE_RESPONSE_TIME,PERVIOUS_TOTAL_TRANSATION,PERVIOUS_AVERAGE_RESPONSE_TIME