Splunk - Commandes en CLI
Alasta 11 Novembre 2020 splunk splunk admin cli
Description : Voici quelques commandes Splunk en CLI
Liste des monitors :
$ splunk list monitor
Monitored Directories:
$SPLUNK_HOME/var/log/introspection
/Applications/Splunk/var/log/introspection/disk_objects.log
/Applications/Splunk/var/log/introspection/http_event_collector_metrics.log
/Applications/Splunk/var/log/introspection/kvstore.log
/Applications/Splunk/var/log/introspection/resource_usage.log
$SPLUNK_HOME/var/log/splunk
/Applications/Splunk/var/log/splunk/audit.log
/Applications/Splunk/var/log/splunk/btool.log
/Applications/Splunk/var/log/splunk/conf.log
/Applications/Splunk/var/log/splunk/dfm_stderr.log
/Applications/Splunk/var/log/splunk/dfm_stdout.log
/Applications/Splunk/var/log/splunk/export_metrics.log
/Applications/Splunk/var/log/splunk/first_install.log
/Applications/Splunk/var/log/splunk/health.log
/Applications/Splunk/var/log/splunk/license_usage.log
/Applications/Splunk/var/log/splunk/metrics.log
/Applications/Splunk/var/log/splunk/mongod.log
/Applications/Splunk/var/log/splunk/remote_searches.log
/Applications/Splunk/var/log/splunk/scheduler.log
/Applications/Splunk/var/log/splunk/search_messages.log
/Applications/Splunk/var/log/splunk/searchhistory.log
/Applications/Splunk/var/log/splunk/splunk_instrumentation.log
/Applications/Splunk/var/log/splunk/splunkd-utility.log
/Applications/Splunk/var/log/splunk/splunkd.log
/Applications/Splunk/var/log/splunk/splunkd_access.log
/Applications/Splunk/var/log/splunk/splunkd_stderr.log
/Applications/Splunk/var/log/splunk/splunkd_stdout.log
/Applications/Splunk/var/log/splunk/splunkd_ui_access.log
/Applications/Splunk/var/log/splunk/web_access.log
/Applications/Splunk/var/log/splunk/web_service.log
/Applications/Splunk/var/log/splunk/wlm_monitor.log
$SPLUNK_HOME/var/log/splunk/license_usage_summary.log
/Applications/Splunk/var/log/splunk/license_usage_summary.log
$SPLUNK_HOME/var/log/splunk/splunk_instrumentation_cloud.log*
/Applications/Splunk/var/log/splunk/splunk_instrumentation_cloud.log
$SPLUNK_HOME/var/log/watchdog/watchdog.log*
/Applications/Splunk/var/log/watchdog/watchdog.log
$SPLUNK_HOME/var/run/splunk/search_telemetry/*search_telemetry.json
$SPLUNK_HOME/var/spool/splunk/...stash_new
Monitored Files:
$SPLUNK_HOME/etc/splunk.versionCommande btool :
Utilisation :
$ splunk btool <prefixe-fichier-de-config> list [--debug] prefixe-fichier-de-config : correspond au nom de fichier de config sans “.conf” (inputs, indexes …).
L’option “–debug” permet d’afficher le fichier qui fournit la configuration, très utile pour comprendre la précédence lors d’analyse.
Liste les inputs
$ splunk btool inputs list
---SNiP---
t_key:_linebreaker:parsingQueue
[tcp]
_rcvbuf = 1572864
acceptFrom = *
connection_host = dns
host = $decideOnStartup
index = default
[udp]
_rcvbuf = 1572864
connection_host = ip
host = $decideOnStartup
index = defaultSur un inputs spécificique, ici tcp :
$ splunk btool inputs list tcp
[tcp]
_rcvbuf = 1572864
acceptFrom = *
connection_host = dns
host = $decideOnStartup
index = defaultDebug pour voir quel fichier fourni la config :
$ splunk btool inputs list tcp --debug
/Applications/Splunk/etc/system/default/inputs.conf [tcp]
/Applications/Splunk/etc/system/default/inputs.conf _rcvbuf = 1572864
/Applications/Splunk/etc/system/default/inputs.conf acceptFrom = *
/Applications/Splunk/etc/system/default/inputs.conf connection_host = dns
/Applications/Splunk/etc/system/default/inputs.conf host = $decideOnStartup
/Applications/Splunk/etc/system/default/inputs.conf index = defaultInfos spécifiques sur une apps
Ici on a créer une app lab-all-indexes qui fourni un index.
$ splunk btool indexes list --app=lab-all-indexes
[lab_test]
coldPath = $SPLUNK_DB/$_index_name/colddb
homePath = $SPLUNK_DB/$_index_name/db
thawedPath = $SPLUNK_DB/$_index_name/thaweddbOn peut aussi ajouter un filtre **–user=
Check de config (typo)
$ splunk btool checkRecherche en CLI :
$ splunk search '|tstats count where index=* by index'
index count
-------- ------
lab_test 109864