Basic Commands for splunk(基本命令)

1.搜索请求的数据

Task 1: Search for the requested data.

导航到Search视图。(如果你在主应用程序中，从屏幕左侧的列中单击Search & Reporting。你也可以通过点击屏幕顶部栏上的搜索菜单选项来访问搜索视图。)

Navigate to the Search view. (If you are in the Home app, click Search & Reporting from the column on the left side of the screen. You can also access the Search view by clicking the Search menu option on the bar at the top of the screen.)

Enter a search that returns all web application events that include a purchase action with a web status of 200.

Results Example:

Select the file field in the Interesting Fields list.

Results Example:

Notice that there are two different files that were returned from the web server. They are: error.do and success.do. Our web development team informs us that the success.do is served when the order is processed and error.do is served when there is an error with the information being processed.

The team is only looking for successful purchases, so change your search to only return those.

 so we can chick the success.do to achieve it...

Results Example:

You will see fields that do not matter to the team. Use the fields command to only return the action, JSESSIONID and status fields. Does your search run faster using the command?

您将看到与团队无关的字段。使用fields命令只返回操作、JSESSIONID和状态字段。您的搜索是否使用命令运行得更快?

The fields list looks cleaner, but seeing the events like this might still be confusing for the team.

字段列表看起来更干净，但是看到这样的事件对团队来说仍然很混乱。

Task 2: Put the data into an easy to read table.

Replace the fields command with the table command to display the data as a table.

Results Example:

index="main" sourcetype=access_combined_wcookie action=purchase status=200 file="success.do"
| table action,JSESSIONID,status

Change the order of the fields so that JSESSIONID is the first column.

Results Example:

Session IDs are called "UserSessions" in the marketing data. Rename JSESSIONID so that your report matches the marketing data.

Results Example:

index="main" sourcetype=access_combined_wcookie action=purchase status=200 file="success.do"
| table JSESSIONID,action,status
|rename JSESSIONID as UserSessions

Sort UserSessions using the sort command.

Results Example:

index="main" sourcetype=access_combined_wcookie action=purchase status=200 file="success.do"
| table JSESSIONID,action,status
|rename JSESSIONID as UserSessions
| sort UserSessions

Notice that some UserSessions values show up multiple times. Also notice the number of events returned on the Statistics tab.
Remove the sort command and use dedup to remove any identical session values.

Results Example:

How many events are now listed on the Statistics tab?

NOTE: As a best practice and for best performance, place dedup as early in the search as possible.

注意:作为最佳实践和最佳性能，在搜索中尽早放置dedup。

While having action and status fields displayed was nice for a sanity check of the data, the marketing team will not need to have these displayed. Remove them from your table display.

虽然显示动作和状态字段对于数据的完整性检查来说很好，但营销团队不需要显示这些字段。从表显示中删除它们。

Results Example: