Implementing Splunk 7(Third Edition)
上QQ阅读APP看书,第一时间看更新
上一章目录下一章

Saving searches for reuse

As an example, let's build a search query, save it (as a report), and then make an alert out of it. First, let's find errors that affect mary, one of our most important users. This can simply be the query mary error. Looking at some sample log messages that match this query, we see that some of these events probably don't matter (the dates have been removed to shorten the lines):

ERROR LogoutClass error, ERROR, Error! [user=mary, ip=3.2.4.5] 
WARN AuthClass error, ERROR, Error! [user=mary, ip=1.2.3.3] 
ERROR BarCLass Hello world. [user=mary, ip=4.3.2.1] 
WARN LogoutClass error, ERROR, Error! [user=mary, ip=1.2.3.4] 
DEBUG FooClass error, ERROR, Error! [user=mary, ip=3.2.4.5] 
ERROR AuthClass Nothing happened. This is worthless. Don't log this. 
[user=mary, ip=1.2.3.3]

We can probably skip the DEBUG messages; the LogoutClass messages look harmless and the last message actually says that it's worthless. mary error NOT debug NOT worthless NOT logoutclass limits the results to:

WARN AuthClass error, ERROR, Error! [user=mary, ip=1.2.3.3] 
ERROR BarCLass Hello world. [user=mary, ip=4.3.2.1]

For good measure, let's add the sourcetype field and some parentheses:

sourcetype="impl_splunk_gen" (mary AND error) NOT debug NOT worthless NOT logoutclass

Another way of writing the same thing is as follows:

sourcetype="impl_splunk_gen" mary error NOT (debug OR worthless OR logoutclass)

In order that we don't have to type our query every time, let's go ahead and save it as a report for quick retrieval.

First choose Save As... and then Report.

The Save As Report window appears:

Enter a value for Title, in our case, errors affecting mary. Optionally, we can add a short description of the search. The time range is filled in based on what was selected in the time picker, and we decide to include the Time Range Picker in the saved report. Click on Save:

Once we see the preceding window (Your Report Has Been Created), we click on Permissions and see the Edit Permissions window:

For Display For, let's click on App (rather than the default Owner shown in the preceding screenshot):

Next, we'll check Read for all user roles except power, since we know that certain users in our Splunk environment are members of this group (including our friend mary). Finally, we can click on Save.

The search report is then available under Reports:

Selecting search/report from the menu runs the search using the latest data available.

本周热推:
自动化控制工程设计Excel 2007表格应用百练成精数据存储备份与灾难恢复CorelDRAW X4中文版平面设计50例传感器原理与工程应用
上一章目录下一章