splunk 多个数据关联查询
生活随笔
收集整理的這篇文章主要介紹了
splunk 多个数据关联查询
小編覺(jué)得挺不錯(cuò)的,現(xiàn)在分享給大家,幫大家做個(gè)參考.
splunk是當(dāng)下比較火的大數(shù)據(jù)分析工具,可以收集日志數(shù)據(jù)、性能數(shù)據(jù)、網(wǎng)絡(luò)數(shù)據(jù)包。這些數(shù)據(jù)都是一些非結(jié)構(gòu)化的數(shù)據(jù),我們可以統(tǒng)一將這些數(shù)據(jù)統(tǒng)一采集到splunk之后,splunk可以對(duì)這些數(shù)據(jù)進(jìn)行索引、調(diào)查、監(jiān)控、可視化,告警等等。
還可以做一下機(jī)器學(xué)習(xí)訓(xùn)練等操作,非常方便。
之前的都是比較簡(jiǎn)單的查詢(xún),例如查詢(xún)IPS的流量,統(tǒng)計(jì)某個(gè)用戶(hù)訪(fǎng)問(wèn)網(wǎng)站頻率,攻擊頻率等等。
splunk有多個(gè)數(shù)據(jù)集,mysql這種就很好做關(guān)聯(lián)查詢(xún)了,left jion 等等,查了資料整理如下,給需要的人參考。
| SQL command | SQL example | Splunk SPL example | 備注 |
|---|---|---|
| SELECT * |
SELECT * FROM mytable source=mytable |
source就相當(dāng)于table |
| WHERE |
SELECT * FROM mytable WHERE mycolumn=5 source=mytable mycolumn=5 |
|
| SELECT |
SELECT mycolumn1, mycolumn2 FROM mytable source=mytable | FIELDS mycolumn1, mycolumn2 |
通過(guò)fields可以規(guī)定查詢(xún)哪幾列 |
| AND/OR |
SELECT * FROM mytable WHERE (mycolumn1="true" OR mycolumn2="red") AND mycolumn3="blue" source=mytable AND (mycolumn1="true" OR mycolumn2="red") AND mycolumn3="blue" |
|
| AS (alias) |
SELECT mycolumn AS column_alias FROM mytable source=mytable | RENAME mycolumn as column_alias | FIELDS column_alias |
rename關(guān)鍵字 |
| BETWEEN |
SELECT * FROM mytable WHERE mycolumn BETWEEN 1 AND 5 source=mytable mycolumn>=1 mycolumn<=5 |
|
| GROUP BY |
SELECT mycolumn, avg(mycolumn) FROM mytable WHERE mycolumn=value GROUP BY mycolumn source=mytable mycolumn=value | STATS avg(mycolumn) BY mycolumn | FIELDS mycolumn, avg(mycolumn ) |
stats對(duì)結(jié)果分組,并取平均值 |
| LEFT (OUTER) JOIN |
SELECT * FROM mytable1 LEFT JOIN mytable2 ON mytable1.mycolumn= mytable2.mycolumn source=mytable1 | JOIN type=left mycolumn [SEARCH source=mytable2] |
[SEARCH..]相當(dāng)于一個(gè)子查詢(xún)了,然后進(jìn)行連接 |
| TRUNCATE TABLE |
TRUNCATE TABLE mytable source=mytable | DELETE |
|
| UNION |
SELECT mycolumn FROM mytable1 UNION SELECT mycolumn FROM mytable2 source=mytable1 | APPEND [SEARCH source=mytable2] | DEDUP mycolumn |
APPEND相當(dāng)于將當(dāng)前查詢(xún)與子查詢(xún)組合起來(lái) |
| UNION ALL |
SELECT * FROM mytable1 UNION ALL SELECT * FROM mytable2 source=mytable1 | APPEND [SEARCH source=mytable2] |
區(qū)別在于,不需要去重字段 |
在表關(guān)聯(lián)查詢(xún)中,示例使用的是字段相同的,但是我的比較特殊,沒(méi)有字段關(guān)聯(lián)名稱(chēng)關(guān)聯(lián),但是我確認(rèn)字段的值是關(guān)聯(lián)的。
index="數(shù)據(jù)集1" category="類(lèi)別" | stats count as "訪(fǎng)問(wèn)次數(shù)" BY srcuser|join type=left srcuser [SEARCH index="數(shù)據(jù)集2" |rename ldap_id as srcuser]|table srcuser "訪(fǎng)問(wèn)次數(shù)" mail_id,user_cname,user_email,user_deptpath,user_dept1,leader_ldap,leader_email,leader_cname
總結(jié)
以上是生活随笔為你收集整理的splunk 多个数据关联查询的全部?jī)?nèi)容,希望文章能夠幫你解決所遇到的問(wèn)題。
- 上一篇: python3(十四)Python 异常
- 下一篇: RouterOS的Fasttrack,可