Splunk 简明教程
Splunk - Field Searching
当 Splunk 读入已上传的机器数据时,它会解析这些数据,并按字段将数据分成许多部分,每个字段都将表示整个数据记录中的一个单一的逻辑事实。
When Splunk reads the uploaded machine data, it interprets the data and divides it into many fields which represent a single logical fact about the entire data record.
例如,一个单一的记录信息可能包含服务器名称、事件的时间戳、正在记录的事件类型(登录尝试或 HTTP 响应等)。即使是对于非结构化数据,Splunk 也尝试将字段分成键值对,或者根据数据的类型(数字、字符串等)将字段分开。
For example, a single record of information may contain server name, timestamp of the event, type of the event being logged whether login attempt or a http response, etc. Even in case of unstructured data, Splunk tries to divide the fields into key value pairs or separate them based on the data types they have, numeric and string, etc.
继续对上一章节中上传的数据进行操作,我们可以通过点击显示字段链接,看到 secure.log 文件中的字段,这将打开以下屏幕。我们可以注意到 Splunk 从这个日志文件中生成出来了哪些字段。
Continuing with the data uploaded in the previous chapter, we can see the fields from the secure.log file by clicking on the show fields link which will open up the following screen. We can notice the fields Splunk has generated from this log file.
Choosing the Fields
我们可以通过从所有字段列表中选择或取消选择来选择显示哪些字段。点击 all fields ,将打开一个显示所有字段的列表的窗口。其中一些字段前面会有勾选标记,表明它们已被选中。我们可以使用复选框来选择要显示的字段。
We can choose what fields to be displayed by selecting or unselecting the fields from the list of all fields. Clicking on all fields opens a window showing the list of all the fields. Some of these fields have check marks against them showing they are already selected. We can use the check boxes to choose our fields for display.
除了字段名称外,它还显示了字段中不同的值的数量、数据类型,以及此字段存在于多少百分比的事件中。
Besides the name of the field, it displays the number of distinct values the fields have, its data type and what percentage of events this field is present in.
Field Summary
可以点击字段名称,查看每个所选字段非常详细的统计信息。它显示了该字段的所有不同值、它们的计数以及它们的百分比。
Very detailed stats for every selected field become available by clicking on the name of the field. It shows all the distinct values for the field, their count and their percentages.
Using Fields in Search
还可以将字段名称和用于搜索的特定值一起插入到搜索框中。在下例中,我们的目标是找到名为 mailsecure_log 的主机的 10 月 15 日的所有记录。我们获得了此特定日期的结果。
The field names can also be inserted into the search box along with the specific values for the search. In the below example, we aim to find all the records for the date, 15th Oct for the host named mailsecure_log. We get the result for this specific date.
