Splunk 简明教程
Splunk - Basic Search
Splunk 具有强大的搜索功能,使您能够搜索已摄取的整个数据集。通过命名为 Search & Reporting 的应用程序访问此功能,在登录到 Web 界面后,可以在左侧栏中看到此应用程序。
Splunk has a robust search functionality which enables you to search the entire data set that is ingested. This feature is accessed through the app named as Search & Reporting which can be seen in the left side bar after logging in to the web interface.
单击 search & Reporting 应用程序后,我们将看到一个搜索框,我们可以在其中开始搜索我们在上一章中上传的日志数据。
On clicking on the search & Reporting app, we are presented with a search box, where we can start our search on the log data that we uploaded in the previous chapter.
我们以如下所示的格式输入主机名,然后单击最右侧的搜索图标。这将显示突出显示搜索词组的结果。
We type the host name in the format as shown below and click on the search icon present in the right most corner. This gives us the result highlighting the search term.
Combining Search Terms
我们可以一个接一个地编写用于搜索的词组,将它们组合起来,但将用户搜索字符串放在双引号中。
We can combine the terms used for searching by writing them one after another but putting the user search strings under double quotes.
Using Wild Card
我们可以在搜索选项中使用与 AND/OR 运算符结合使用的通配符。在下面的搜索中,我们得到了一个结果,其中日志文件包含 fail、failed、failure 等词组,以及同一行中的密码词组。
We can use wild cards in our search option combined with the AND/OR operators. In the below search, we get the result where the log file has the terms containing fail, failed, failure, etc., along with the term password in the same line.
Refining Search Results
我们可以通过选择一个字符串并将其添加到搜索中,进一步优化搜索结果。在下面的示例中,我们单击字符串 3351 并选择选项 Add to Search 。
We can further refine the search result by selecting a string and adding it to the search. In the below example, we click over the string 3351 and select the option Add to Search.
在 3351 被添加到搜索词组后,我们得到了下面的结果,其中仅显示日志中包含 3351 的行。另外,请注意,随着我们优化搜索,搜索结果的时间线也有所变化。
After 3351 is added to the search term, we get the below result which shows only those lines from the log containing 3351 in them. Also mark how the time line of the search result has changed as we have refined the search.
