Splunk 简明教程
Splunk - Search Language
Splunk 搜索处理语言(SPL)是一种语言,其中包含许多命令、函数、参数等,这些命令、函数、参数被用来从数据集得到期望的结果。例如,当针对搜索词获得结果集时,你可能希望进一步从结果集中筛选一些更具体的内容。为此,你需要向现有命令添加一些额外的命令。这是通过学习 SPL 的用法来实现的。
The Splunk Search Processing Language (SPL) is a language containing many commands, functions, arguments, etc., which are written to get the desired results from the datasets. For example, when you get a result set for a search term, you may further want to filter some more specific terms from the result set. For this, you need some additional commands to be added to the existing command. This is achieved by learning the usage of SPL.
Components of SPL
SPL 包含以下组件。
The SPL has the following components.
-
Search Terms − These are the keywords or phrases you are looking for.
-
Commands − The action you want to take on the result set like format the result or count them.
-
Functions − What are the computations you are going to apply on the results. Like Sum, Average etc.
-
Clauses − How to group or rename the fields in the result set.
让我们在下面的部分使用图片讨论所有组件 −
Let us discuss all the components with the help of images in the below section −
Search Terms
这些是在搜索栏中提及的术语,用于从数据集获取满足搜索条件的特定记录。在下例中,我们搜索包含两个突出显示术语的记录。
These are the terms you mention in the search bar to get specific records from the dataset which meet the search criteria. In the below example, we are searching for records which contain two highlighted terms.
Commands
可以使用 SPL 提供的许多内置命令来简化分析结果集中数据的过程。在下例中,我们使用 head 命令仅从搜索操作中筛选出前 3 个结果。
You can use many in-built commands that SPL provides to simplify the process of analysing the data in the result set. In the below example we use the head command to filter out only the top 3 results from a search operation.
Functions
除了命令,Splunk 还提供许多内置函数,这些函数可以从被分析的字段获取输入,并在对该字段应用计算后给出输出。在下例中,我们使用 *Stats avg() *函数来计算作为输入的数字字段的平均值。
Along with commands, Splunk also provides many in-built functions which can take input from a field being analysed and give the output after applying the calculations on that field. In the below example, we use the *Stats avg() *function which calculates the average value of the numeric field being taken as input.
Clauses
当我们希望按某个特定字段获取分组结果或希望在输出中重命名字段时,我们分别使用 group by 从句和 as 从句。在下例中,我们获得了 web_application 日志中每个文件的平均字节大小。如您所见,结果显示了每个文件的名称以及每个文件的平均字节数。
When we want to get results grouped by some specific field or we want to rename a field in the output, we use the group by clause and the as clause respectively. In the below example, we get the average size of bytes of each file present in the web_application log. As you can see, the result shows the name of each file as well as the average bytes for each file.
