Splunk 简明教程

Splunk - Overview

Splunk 是一款处理机器数据和其他形式大数据的软件,并从中提取见解。这种机器数据是由运行 Web 服务器的 CPU、IOT 设备、移动应用程序日志等生成的。没有必要将此数据提供给终端用户,也没有任何业务意义。但是,它们对于理解、监视和优化机器性能至关重要。

Splunk is a software which processes and brings out insight from machine data and other forms of big data. This machine data is generated by CPU running a webserver, IOT devices, logs from mobile apps, etc. It is not necessary to provide this data to the end users and does not have any business meaning. However, they are extremely important to understand, monitor and optimize the performance of the machines.

Splunk 可以读取此类非结构化、半结构化或很少结构化的数据。在读取数据后,它允许在这些数据上进行搜索、标记、创建报告和仪表板。随着大数据时代的到来,Splunk 现在能够从各种来源获取大数据,无论这些来源是否是机器数据,并在其上运行分析。

Splunk can read this unstructured, semi-structured or rarely structured data. After reading the data, it allows to search, tag, create reports and dashboards on these data. With the advent of big data, Splunk is now able to ingest big data from various sources, which may or may not be machine data and run analytics on big data.

因此,从一个用于日志分析的简单工具开始,Splunk 经历了漫长的过程,变得不结构化机器数据和各种形式大数据的通用分析工具。

So, from a simple tool for log analysis, Splunk has come a long way to become a general analytical tool for unstructured machine data and various forms of big data.

Product Categories

Splunk 可分为以下三种不同产品类别:

Splunk is available in three different product categories as follows −

  1. Splunk Enterprise − It is used by companies which have large IT infrastructure and IT driven business. It helps in gathering and analysing the data from websites, applications, devices and sensors, etc.

  2. Splunk Cloud − It is the cloud hosted platform with same features as the enterprise version. It can be availed from Splunk itself or through the AWS cloud platform.

  3. Splunk Light − It allows search, report and alert on all the log data in real time from one place. It has limited functionalities and features as compared to the other two versions.

Splunk Features

在本节中,我们将讨论企业版的特性:

In this section, we shall discuss the important features of enterprise edition −

Data Ingestion

Splunk 可以获取各种数据格式,如 JSON、XML 和非结构化机器数据,如 Web 和应用程序日志。非结构化数据可以根据用户的需要建模为数据结构。

Splunk can ingest a variety of data formats like JSON, XML and unstructured machine data like web and application logs. The unstructured data can be modeled into a data structure as needed by the user.

Data Indexing

Splunk 会对获取的数据进行索引,以便更快地在不同条件下进行搜索和查询。

The ingested data is indexed by Splunk for faster searching and querying on different conditions.

Data Searching

在 Splunk 中进行搜索涉及使用索引数据来创建度量、预测未来趋势并识别数据中的模式。

Searching in Splunk involves using the indexed data for the purpose of creating metrics, predicting future trends and identifying patterns in the data.

Using Alerts

当在正在分析的数据中发现某些特定标准时,可使用 Splunk 警报来触发电子邮件或 RSS 源。

Splunk alerts can be used to trigger emails or RSS feeds when some specific criteria are found in the data being analyzed.

Dashboards

Splunk 仪表板可以以图表、报表和透视表等形式显示搜索结果。

Splunk Dashboards can show the search results in the form of charts, reports and pivots, etc.

Data Model

索引数据可以根据专业领域知识建模成一个或多个数据集。这使得最终用户可以更轻松地导航,他们在分析业务案例时无需学习 Splunk 所使用的技术性搜索处理语言。

The indexed data can be modelled into one or more data sets that is based on specialized domain knowledge. This leads to easier navigation by the end users who analyze the business cases without learning the technicalities of the search processing language used by Splunk.