Change jobs to a new company, the first task is to superiors to watch the video to learn splunk official website, here are some notes.
splunk official website login url: https: //www.splunk.com/page/sign_up
1, lab3
1.1, directly to the official website to download the installation package is good, the put / opt directory under decompression.
1.2, splunk start: switch to next bin directory splunk then sudo ./splunk start --accept-license start.
2、lab4 -ingesting data
2.1, download the file: http: //splk.it/f1data
2.2, followed by uploading acc, db_audit, linux three documents
3、lab5 -searching
3.1, search: error OR fail *
3.2、搜索:fail* AND password"port 22"
3.2, change the "JOB" menu, read and write permissions changed to everyone, time changed to 7days
4、lab6 -using field in searches
4.1 Search: index = main sourcetype = access_combined_wcookie action = purchase all of the time
5、lab8 -Basic commands
5.1、搜索:host= web_application action=purchase status=200
5.2、搜索:host=web_application action=purchase status=200 file=success.do
5.3、搜索:host=web_application action=purchase status=200 file=success.do
|fields action,JSESSIONID,status
5.4、搜索:host=web_application action=purchase status=200 file=success.do
|table JSESSIONID,action,status
5.5、搜索:host=web_application action=purchase status=200 file=success.do
| table JSESSIONID,action,status
|rename JSESSIONID AS "user sessions"
5.6、搜索:host=web_application action=purchase status=200 file=success.do
| table JSESSIONID,action,status
| rename JSESSIONID AS "user sessions"
|sort "user sessions"
5.7、搜索:host=web_application action=purchase status=200 file=success.do
| table JSESSIONID action status
| rename JSESSIONID AS "user sessions"
|dedup "user sessions"
5.8、搜索:host=web_application action=purchase status=200 file=success.do
| table JSESSIONID
| rename JSESSIONID AS "user sessions"
|dedup "user sessions"
5.9、搜索:index=main sourcetype=access_combined_wcookie action=purchase status=200
5.11、搜索:index=main sourcetype=access_combined_wcookie action=purchase status=200 file=success.do
5.12、搜索:index=main sourcetype=access_combined_wcookie action=purchase status=200 file=success.do
|fields action JSESSIONID status
5.13、搜索:index=main sourcetype=access_combined_wcookie action=purchase status=200 file=success.do
|table action JSESSIONID status
5.14、搜索:index=main
sourcetype=access_combined_wcookie action=purchase status=200 file=success.do | table JSESSIONID,
action, status
5.13、搜索:index=main sourcetype=access_combined_wcookie action=purchase
status=200 file=success.do | table JSESSIONID, action, status | rename JSESSIONID as UserSessions
5.14、搜素:index=main sourcetype=access_combined_wcookie
action=purchase status=200 file=success.do | table JSESSIONID, action, status | rename JSESSIONID as
UserSessions | sort UserSessions
5.15、搜索:index=main
sourcetype=access_combined_wcookie action=purchase status=200 file=success.do | dedup
JSESSIONID | table JSESSIONID, action, status | rename JSESSIONID as UserSessions
5.16、搜索:index=main
sourcetype=access_combined_wcookie action=purchase status=200 file=success.do | dedup
JSESSIONID | table JSESSIONID | rename JSESSIONID as UserSessions
6、lab9 -Transforming Commands
6.1、搜索:index=main sourcetype=access_combined_wcookie file=success.do
6.2、