Splunk使用过程中记录的笔记

Splunk使用过程中记录的笔记

一、Splunk HF 转发syslog到第三方主机

outputs.conf

[syslog]
defaultGroup=syslogGroup

[syslog:syslogGroup]
type = udp
server = 10.203.19.22:514

props.conf

[sourcetype::cosmo_syslog]
TRANSFORMS-nyc = splunk_to_syslog

[sourcetype::cosmo_cisco:asa]
TRANSFORMS-nyc = splunk_to_syslog

[sourcetype::cosmo_cisco_asa_anquan]
TRANSFORMS-nyc = splunk_to_syslog

transforms.conf

[splunk_to_syslog]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = syslogGroup

二、splunkforwarder修改8089端口(管理端口)

1、查看/opt/splunkforwarder/etc/system/local/web.conf文件是否存在

[root@linux_mysql local]# ll /opt/splunkforwarder/etc/system/local/
web.conf
-rw-r--r--. 1 root root 52101 Jul  4 00:07 /opt/splunkforwarder/etc/system/local/web.conf
[root@linux_mysql local]# 

如果web.conf文件不存在将../default/下面的web.conf 复制到local目录下

cd /opt/splunkforwarder/etc/system/local/
cp ../default/web.conf .

2、修改web.conf配置文件

找到mgmtHostPort配置项并修改

#   Version 7.2.5
# DO NOT EDIT THIS FILE!
# Changes to default files will be lost on update and are difficult to
# manage and support.
#
# Please make any changes to system defaults by overriding them in
# apps or $SPLUNK_HOME/etc/system/local
# (See "Configuration file precedence" in the web documentation).
#
# To override a specific setting, copy the name of the stanza and
# setting to the file where you wish to override it.
#
# This file contains possible attributes and values you can use to configure Splunk's web interface.
#
[default]

[settings]

# enable/disable the appserver
startwebserver = 1

# port number tag is missing or 0 the server will NOT start an http listener
# this is the port used for both SSL and non-SSL (we only have 1 port now).
httpport = 8000

# this determines whether to start SplunkWeb in http or https.
enableSplunkWebSSL = false

# location of splunkd; don't include http[s]:// in this anymore.
#mgmtHostPort = 127.0.0.1:8089--此项配置
mgmtHostPort = 127.0.0.1:8099

# list of ports to start python application servers on (although usually
# one port is enough)  Set to 0 to instead run the application server
# directly as the web front end on 'httpport', separate from splunkd.
appServerPorts = 8065

# default timeout, in seconds, when communicating with splunkd
splunkdConnectionTimeout = 30

# enable/disable custom netloc when using http client
enableSplunkWebClientNetloc = False

# SSL certificate files.
privKeyPath = $SPLUNK_HOME/etc/auth/splunkweb/privkey.pem
serverCert = $SPLUNK_HOME/etc/auth/splunkweb/cert.pem


3、重启splunkforwarder服务

/opt/splunkforwarder/bin/splunk start

4、查看端口是否修改成功

[root@linux_mysql local]# ps -ef|grep splunk
root       7698      1  0 00:10 ?        00:00:01 splunkd --under-systemd --systemd-delegate=yes -p 8099 _internal_launch_under_systemd
root       7723   7698  0 00:10 ?        00:00:00 [splunkd pid=7698] splunkd --under-systemd --systemd-delegate=yes -p 8099 _internal_launch_under_systemd [process-runner]
root       7949   5126  0 00:28 pts/0    00:00:00 grep --color=auto splunk
[root@linux_mysql local]# 

三、使用splunk sourcetype过滤prometheus指标项

问题:
将普罗米修斯数据接入到splunk系统中发现数据量非常庞大(有1560个指标项),真正使用到的指标项不到100个,过滤掉不需要的指标

设备
在HF和indexer上设置
配置文件
props.conf

[prometheus_filter]
TIME_FORMAT = %s%3N
TIME_PREFIX = }\s[\d\-\.]+\s
TRANSFORMS-set = setnull,conform
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
pulldown_type = 1
category = Metrics
EXTRACT-metric_name,num1,num2 = ^(?P<metric_name>[^\{]+)[^\}\n]*\}\s+(?P<num1>[^ ]+)\s+(?P<num2>.+)
EXTRACT-metric_name,num1,num2:提取metric_name,num1,num2字段 TIME_FORMAT,TIME_PREFIX:时间格式 TRANSFORMS-set:过滤条件

transforms.conf
[conform]
REGEX = container_cpu_load_average_10s|container_cpu_usage_seconds_total|container_fs_limit_bytes|container_fs_usage_bytes|container_memory_cache|container_memory_usage_bytes|container_memory_working_set_bytes|container_network_receive_bytes_total|container_network_transmit_bytes_total|container_spec_memory_limit_bytes|jvm_gc_collection_seconds_count|jvm_gc_collection_seconds_sum|jvm_memory_bytes_used|jvm_memory_pool_bytes_max|jvm_memory_pool_bytes_used|jvm_threads_current|jvm_threads_deadlocked|jvm_threads_peak|kube_pod_container_status_ready|kube_pod_container_status_running|kube_pod_container_status_terminated|kube_pod_container_status_waiting|machine_cpu_cores|machine_memory_bytes|mysql_global_status_aborted_clients|mysql_global_status_commands_total|mysql_global_status_innodb_data_fsyncs|mysql_global_status_innodb_data_reads|mysql_global_status_innodb_data_writes|mysql_global_status_select_full_join|mysql_global_status_select_scan|mysql_global_status_slow_queries|mysql_global_status_sort_scan|mysql_global_status_threads_connected|mysql_global_status_threads_created|nginx_connections_accepted|nginx_connections_active|nginx_connections_handled|nginx_http_requests_total|node_network_info|rabbitmq_channelsTotal|rabbitmq_connectionsTotal|rabbitmq_consumersTotal|rabbitmq_exchangesTotal|rabbitmq_fd_total|rabbitmq_fd_used|rabbitmq_queue_messages_ready_total|rabbitmq_queue_messages_total|rabbitmq_queue_messages_unacknowledged_total|rabbitmq_queuesTotal|rabbitmq_sockets_total|rabbitmq_sockets_used|rabbitmq_up|redis_blocked_clients|redis_commands_processed_total|redis_connected_clients|redis_evicted_keys_total|redis_expired_keys_total|redis_keyspace_hits_total|redis_keyspace_misses_total|redis_memory_used_bytes|zk_max_latency|zk_num_alive_connections|zk_open_file_descriptor_count|zk_outstanding_requests|zk_up|zk_watch_count|zk_znode_count
DEST_KEY = queue
FORMAT = indexQueue

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

四、nix add-on CPU.sh 问题

问题:nix ad-on下发到Linux 系统上没有采集到cpu性能数据
需要在linux系统上安装以下命令

yum install sysstat
yum install sar
yum insatll mpstat

五、forwarder被克隆,导致主机名一致

解决方式一:

删除$SPLUNK_HOME$/etc/instance.cfg (里面记录了guid,也就是客户端名称)
删除server.conf里面的实例名称记录,inputs.conf里面的主机名称记录
重启forwarder

解决方式二:

forwarder重新安装
例如: 安装目录为/tpdata

/tpdata/splunkforwarder/bin/splunk stop
rm -rf /tpdata/splunkforwarder
tar zxvf /tpdata/splunkforwarder-6*.tgz -C /tpdata
/tpdata/splunkforwarder/bin/splunk start --answer-yes --no-prompt --accept-license
/tpdata/splunkforwarder/bin/splunk set deploy-poll 10.21.8.228:8089 -auth admin:changeme
/tpdata/splunkforwarder/bin/splunk restart

Copyright: 采用 知识共享署名4.0 国际许可协议进行许可

Links: https://www.hesc.info/archives/20200817004531

Buy me a cup of coffee ☕.