標籤:splunk大資料日誌分析系統遠程擷取日誌資料 轉寄站
1. Splunk接收器開啟
在Splunk伺服器安裝目錄,執行./splunk enable listen 9997 –auth<username>:<password>
Username預設為splunk web登陸使用者名稱
Password預設為splunk web登陸密碼
./splunk enable listen 9997 –auth admin:changme
2. Splunk轉寄站安裝(Linux下安裝,Windows的直接下一步)
http://www.splunk.com/download/universalforwarder下載對應版本的轉寄站
rpm –ivh splunkforwarder-6.1.3-220630-linux-2.6-x86_64.rpm
cd /opt/splunkforwarder/bin
#啟動splunk
./splunk start
#自啟動splunk
./splunk enable boot-start
#確認轉寄站已經串連到接收器
./splunk add forward-server 192.168.160.98:9997
#查看可用splunk接收器列表
./splunk list forward-server
#讓轉寄站收集/var/log/varnish日誌
./splunk add monitor /var/log/varnish
#指定固定索引收集日誌,需在splunk伺服器上事先建立好索引varnish
./splunk add monitor /var/log/varnish –index varnish
#這樣做完基本ok了,但是在提取欄位的時候異常麻煩,所以我們要指定下sourcetype的固定名稱,方便搜尋
cd /opt/splunkforwarder/etc/apps/search/local
vim inputs.conf
sourcetype=varnish
/opt/splunkforwarder/bin/splunk restart
3. Splunk語句搜尋
#如果用的是自訂索引,搜尋時要指定index
index="varnish" sourcetype="varnish"
OK,接下來可以針對sourcetype=”varnish”的提取欄位了。
splunk的conf檔案具體可參考:http://docs.splunk.com/Documentation/Splunk/latest/Admin/Serverconf
本文出自 “Linux營運” 部落格,請務必保留此出處http://utrace.blog.51cto.com/2213120/1548265
Splunk大資料日誌分析系統遠程擷取日誌資料
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
