Splunk 简明教程
Splunk - Managing Indexes
索引是一种通过给要搜索的数据块提供数字地址来加速搜索过程的机制。Splunk 索引类似于数据库中索引的概念。安装 Splunk 后会创建三个默认索引,如下所示。
Indexing is a mechanism to speed up the search process by giving numeric addresses to the piece of data being searched. Splunk indexing is similar to the concept of indexing in databases. The installation of Splunk creates three default indexes as follows.
-
main − This is Splunk’s default index where all the processed data is stored.
-
Internal − This index is where Splunk’s internal logs and processing metrics are stored.
-
audit − This index contains events related to the file system change monitor, auditing, and all user history.
Splunk 索引器创建并维护索引。将数据添加到 Splunk 后,索引器会处理数据,并将数据存储在指定的索引中(默认情况下,在主索引或您确定的索引中)。
The Splunk Indexers create and maintain the indexes. When you add data to Splunk, the indexer processes it and stores it in a designated index (either, by default, in the main index or in the one that you identify).
Checking Indexes
登录 Splunk 后,可以通过访问 Settings → Indexes 来查看现有索引。下图显示了该选项。
We can have a look at the existing indexes by going to Settings → Indexes after logging in to Splunk. The below image shows the option.
进一步单击索引后,我们可以看到 Splunk 维护的用于 Splunk 中已捕获数据的索引列表。下图显示了此类列表。
On further clicking on the indexes, we can see the list of indexes Splunk maintains for the data that is already captured in Splunk. The below image shows such a list.
Creating a New Index
我们可以通过 Splunk 中存储的数据按所需的大小创建一个新索引。随之而来的附加数据可以使用这个新创建的索引,但搜索功能较好。创建索引的步骤为 Settings → Indexes → New Index 。将会显示以下屏幕,我们在其中指定索引名称和内存分配等。
We can create a new index with desired size by the data that is stored in Splunk. The additional data that comes in can use this newly created index but better search functionality. The steps to create an index is Settings → Indexes → New Index. The below screen appears where we mention the name of the index and memory allocation etc.
Indexing the Events
在创建上述索引后,我们可以配置由该特定索引编制索引的事件。我们选择事件类型。使用路径 Settings → Data Inputs → Files & Directories 。然后,我们选择要附加到新创建事件的特定事件文件。正如您在下图中看到的,我们已将名为 index_web_app 的索引分配给此特定文件。
After creating the index above we can configure the events to be indexed by this specific index. We choose the event type. Use the path Settings → Data Inputs → Files & Directories. Then we choose the specific file of the events which we want to attach to the newly created event. As you can see in the below image, we have assigned the index named index_web_app to this specific file.
