Splunk 简明教程

Splunk - Schedules and Alerts

调度是设置触发器以在没有用户干预的情况下自动运行报表的流程。以下是在调度报表时的一些用途 −

Scheduling is the process of setting up a trigger to run the report automatically without the user’s intervention. Below are the uses of scheduling a report −

  1. By running the same report at different intervals: monthly, weekly or daily, we can get results for that specific period.

  2. Improved performance of the dashboard as the reports finish running in the background before the dashboard is opened by the users.

  3. Sending of reports automatically via email after it finishes running.

Creating a Schedule

通过编辑报表的调度功能来创建调度。我们转到“编辑”按钮上的 Edit Schedule 选项,如下面的图片所示。

A schedule is created by editing the report’s schedule feature. We go to the Edit Schedule option on the Edit button as shown in the image below.

schedule alert 1

单击“编辑调度”按钮后,我们将获取下一个屏幕,其中列出了创建调度的所有选项。

On clicking the edit schedule button, we get the next screen which lays out all the options for creating the schedule.

在下面的示例中,我们将采用所有默认选项,并且调度报表在每周一上午 6 点运行。

In the below example, we take all the default options and the report is scheduled to run every week on Monday at 6 AM.

schedule alert 2

Important Features of Scheduling

以下为调度的重要特性 −

The following are the important features of scheduling −

  1. Time Range − It indicates the time range from which the report must fetch the data. It can be last 15 minutes, last 4 hours or last week etc.

  2. Schedule Priority − If more than one report is scheduled at the same time then this will determine the priority of a specific report.

  3. Schedule Window − When there are multiple report schedules with same priority then we can choose a time window which will help the report to run at anytime during this window. If it is 5 minutes, then the report will run within 5 minutes of its scheduled time. This helps in enhancing the performance of the scheduled reports by spreading their run time.

Schedule Actions

安排的活动旨在在报表运行后采取一些措施。例如,你可能想要发送一封电子邮件来说明报表的运行状态或运行另一个脚本。可以通过单击 Add Actions 按钮(如下所示)来设置选项来执行此类操作 −

The schedule actions are meant to take some steps after the report is run. For example, you may want to send an email stating the run status of the report or run another script. Such actions can be carried out by setting the option by clicking on Add Actions button as shown below −

schedule alert 3

Alerts

Splunk 警报是当用户定义的特定条件满足时触发的操作。警报的目标可以是记录操作、发送电子邮件或将结果输出到查找文件等。

Splunk alerts are actions which get triggered when a specific criterion is met which is defined by the user. The goal of alerts can be logging an action, sending an email or output a result to a lookup file, etc.

Creating an Alert

你可以通过运行搜索查询并将其结果另存为警报来创建警报。在下面的屏幕截图中,我们针对按日文件数进行搜索,并通过选择 Save As 选项将结果另存为警报。

You create an alert by running a search query and saving its result as an alert. In the below screenshot, we take the search for daywise file count and save the result as an alert by choosing the Save As option.

schedule alert 4

在下一个屏幕截图中,我们将配置警报属性。下图显示了配置屏幕 −

In the next screenshot, we configure the alert properties. The below image shows the configuration screen −

schedule alert 5

下面解释了每个选项的用途和选择:

The purpose and choices of each of these options is explained below −

  1. Title − It is the name of the alert.

  2. Description − It is the detailed description of what the alert does.

  3. Permission − Its value decided who can access, run or edit the alert. If declared private, then only the creator of the alert has all the permissions. To be accessed by others the option should be changed to Shared in App. In this case everyone has read access but only power user has the edit access for the alert.

  4. Alert Type − A scheduled alert runs at a pre-defined interval whose run time is defined by the day and time chosen from the drop downs. But the other option on real-time alert causes the search to run continuously in the background. Whenever the condition is met, the alert action is executed.

  5. Trigger condition − The trigger condition checks for the criteria mentioned in the trigger and sets off the alter only when the alert criteria is met. You can define number of results or number of sources or number of hosts in the search result to trigger the alert. If it is set for once, it will execute only once when the result condition is met but if it is set to For each Result, then it will run for every row in the result set where the trigger condition is met.

  6. Trigger Actions − The trigger actions can give a desired output or send an email when the trigger condition is met. The below image shows some of the important trigger actions available in Splunk.

schedule alert 6