Splunkをいろいろ運用していくにあたって、覚えておくと便利なコマンドがいく使ったので
メモとして残しておきます。
いまmemory上にロードされている設定を確認する
設定を確認する(どこのconfigに書いてあるか・優先度のチェックなど)
btoolでの設定は実際に反映されてる設定と異なる場合があるので、設定したconfigの確認としてはOKですが
実際に反映されているかはrest コマンドで確認するのが良きです。
(bashi100kmrunさんご指摘ありがとうございます〜)
$SPLUNK_HOME/bin/splunk btool config名 list --debug
OR
$SPLUNK_HOME/bin/splunk btool config名 list --debug stanza名
# 例えばserver.confを見たい時
[XXXXXX@XXXXXX-mbp-c9067] # /Applications/splunk/test/splunk/bin/splunk btool server list --debug
/Applications/splunk/test/splunk/etc/system/default/server.conf [applicationsManagement]
/Applications/splunk/test/splunk/etc/system/default/server.conf allowInternetAccess = true
/Applications/splunk/test/splunk/etc/system/default/server.conf caCertFile = $SPLUNK_HOME/etc/auth/appsCA.pem
/Applications/splunk/test/splunk/etc/system/default/server.conf cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:$
# inputs.confの特定stanzaを見たい時
[XXXXXX@XXXXXX-mbp-c9067] # /Applications/splunk/ca/splunk/bin/splunk btool inputs list --debug tcp
/Applications/splunk/test/splunk/etc/system/default/inputs.conf [tcp]
/Applications/splunk/test/splunk/etc/system/default/inputs.conf _rcvbuf = 1572864
/Applications/splunk/test/splunk/etc/system/default/inputs.conf acceptFrom = *
/Applications/splunk/test/splunk/etc/system/default/inputs.conf connection_host = dns
/Applications/splunk/test/splunk/etc/system/local/inputs.conf host = sudagawa-mbp-c9067
/Applications/splunk/test/splunk/etc/system/default/inputs.conf index = default
いまmemory上にロードされている設定を確認する
ここはRESTコマンドで確認
https://docs.splunk.com/Documentation/SplunkCloud/latest/RESTREF/RESTconf#configs.2Fconf-.7Bfile.7D
# limits.confを確認したいとき
| rest /services/configs/conf-limits
# stanzaベース
| rest /services/configs/conf-limits/<stanza名>
取り込んでいるファイルの状況を確認する
Splunkでいろいろファイルを読み取ったりしている時あるけど、どこまで読んでたとか、ちゃんと読み込んでる?って言うのを確認できるコマンド。
Tailing Processorの場合は、file positionとfile size、percentでどこまで読み込んでるか確認できる。もし読み込めてない、エラーが出てる場合はいろいろメッセージでる。
[XXXXXX@XXXXXX-mbp-c9067] # /Applications/splunk/test/splunk/bin/splunk list inputstatus
Your session is invalid. Please login.
Splunk username: admin
Password:
Cooked:tcp :
tcp
ExecProcessor:exec commands :
$SPLUNK_HOME/etc/apps/splunk_instrumentation/bin/instrumentation.py
$SPLUNK_HOME/etc/apps/splunk_instrumentation/bin/on_splunk_start.py
exit status description = exited with code 0
time closed = 2019-06-02T18:43:21+0900
time opened = 2019-06-02T18:43:10+0900
$SPLUNK_HOME/etc/apps/splunk_instrumentation/bin/schedule_delete.py
./bin/collector.path
time opened = 2019-06-02T18:43:07+0900
./bin/dmc_config.py
exit status description = exited with code 0
time closed = 2019-06-02T18:43:13+0900
time opened = 2019-06-02T18:43:12+0900
Raw:tcp :
tcp
TailingProcessor:FileStatus :
$SPLUNK_HOME/etc/splunk.version
file position = 71
file size = 71
percent = 100.00
type = finished reading
調査用のファイルを取得できるコマンド
サポートにケースをあげる時や、調査する時に必ず必須のコマンド。事前に取得した上でサポートにチケットあげた方が絶対にいいというかそうすべき。
調査に必要なinternalogとかも含まれるよ。
[XXXXXX@XXXXXX-mbp-c9067] # /Applications/splunk/test/splunk/bin/splunk diag
Collecting components: conf_replication_summary, consensus, dispatch, etc, file_validate, index_files, index_listing, kvstore, log, pool, searchpeers, suppression_listing
Skipping components: rest
Selected diag name of: diag-xxxxx-mbp-c9067-2019-06-02_18-52-18
Starting splunk diag...
Logged search filtering is enabled.
Skipping REST endpoint gathering...
Determining diag-launching user...
Getting version info...
Getting system version info...
Getting file integrity info...
Getting network interface config info...
Getting splunk processes info...
Getting netstat output...
Getting info about memory, ulimits, cpu (on windows this takes a while)...
Getting etc/auth filenames...
Getting Sinkhole filenames...
Getting search peer bundles listings...
Getting conf replication summary listings...
Getting suppression files listings...
Getting KV Store listings...
Getting index listings...
Copying Splunk configuration files...
filtered out file '/Applications/splunk/test/splunk/etc/apps/splunk_archiver/java-bin/jars/thirdparty/hive_1_2/hive-exec-1.2.1.jar' limit: 10485760 size: 20599029
filtered out file '/Applications/splunk/test/splunk/etc/apps/splunk_archiver/java-bin/jars/thirdparty/aws/aws-java-sdk-1.10.8.jar' limit: 10485760 size: 21006573
The following certificates were excluded from the diag output automatically.
/Applications/splunk/test/splunk/etc/auth/appsCA.pem
/Applications/splunk/test/splunk/etc/auth/server.pem
/Applications/splunk/test/splunk/etc/auth/cloudCA.pem
/Applications/splunk/test/splunk/etc/auth/appsLicenseCA.pem
/Applications/splunk/test/splunk/etc/auth/ca.pem
/Applications/splunk/test/splunk/etc/auth/cacert.pem
/Applications/splunk/test/splunk/etc/auth/distServerKeys/trusted.pem
/Applications/splunk/test/splunk/etc/auth/distServerKeys/private.pem
/Applications/splunk/test/splunk/etc/auth/audit/public.pem
/Applications/splunk/test/splunk/etc/auth/audit/private.pem
/Applications/splunk/test/splunk/etc/auth/splunkweb/cert.pem
/Applications/splunk/test/splunk/etc/auth/splunkweb/privkey.pem
/Applications/splunk/test/splunk/etc/apps/framework/contrib/requests/requests/cacert.pem
If you have any certs that were not auto-detected, please add them to an EXCLUDE rule in the [diag] stanza of server.conf.
Copying Splunk log files...
Copying Search Pool files...
Copying bucket info files...
Copying Splunk dispatch files...
Copying Splunk consensus files...
Adding manifest files...
Cleaning up...
Splunk diagnosis file created: /Applications/splunk/test/splunk/diag-sudagawa-mbp-c9067-2019-06-02_18-52-18.tar.gz
[XXXXXX@XXXXXX-mbp-c9067] #
あとはcluster関連のコマンドだけど、2つだけ覚えておけば大丈夫かな。
# Index clusterの場合
$SPLUNK_HOME/bin/splunk show cluster-bundle-status
# SHCの場合
$SPLUNK_HOME/bin/splunk show shcluster-status
最後に
他にもいろいろあるけど、btoolが使えればある程度は状況把握できるはず。