Qiita Teams that are logged in
You are not logged in to any team

Log in to Qiita Team
Community
OrganizationAdvent CalendarQiitadon (β)
Service
Qiita JobsQiita ZineQiita Blog
Help us understand the problem. What is going on with this article?

Splunkのお役立ちコマンドリスト

More than 1 year has passed since last update.

Splunkをいろいろ運用していくにあたって、覚えておくと便利なコマンドがいく使ったので
メモとして残しておきます。

いまmemory上にロードされている設定を確認する

$SPLUNK_HOME/bin/splunk btool config名 list --debug

OR

$SPLUNK_HOME/bin/splunk btool config名 list --debug stanza名

#例えばserver.confを見たい時
[XXXXXX@XXXXXX-mbp-c9067] # /Applications/splunk/test/splunk/bin/splunk btool server list --debug
/Applications/splunk/test/splunk/etc/system/default/server.conf                             [applicationsManagement]
/Applications/splunk/test/splunk/etc/system/default/server.conf                             allowInternetAccess = true
/Applications/splunk/test/splunk/etc/system/default/server.conf                             caCertFile = $SPLUNK_HOME/etc/auth/appsCA.pem
/Applications/splunk/test/splunk/etc/system/default/server.conf                             cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:$

#inputs.confの特定stanzaを見たい時
[XXXXXX@XXXXXX-mbp-c9067] # /Applications/splunk/ca/splunk/bin/splunk btool inputs list --debug tcp
/Applications/splunk/test/splunk/etc/system/default/inputs.conf [tcp]
/Applications/splunk/test/splunk/etc/system/default/inputs.conf _rcvbuf = 1572864
/Applications/splunk/test/splunk/etc/system/default/inputs.conf acceptFrom = *
/Applications/splunk/test/splunk/etc/system/default/inputs.conf connection_host = dns
/Applications/splunk/test/splunk/etc/system/local/inputs.conf   host = sudagawa-mbp-c9067
/Applications/splunk/test/splunk/etc/system/default/inputs.conf index = default

取り込んでいるファイルの状況を確認する

Splunkでいろいろファイルを読み取ったりしている時あるけど、どこまで読んでたとか、ちゃんと読み込んでる?って言うのを確認できるコマンド。

Tailing Processorの場合は、file positionとfile size、percentでどこまで読み込んでるか確認できる。もし読み込めてない、エラーが出てる場合はいろいろメッセージでる。

[XXXXXX@XXXXXX-mbp-c9067] # /Applications/splunk/test/splunk/bin/splunk list inputstatus
Your session is invalid.  Please login.
Splunk username: admin
Password:
Cooked:tcp :
        tcp

ExecProcessor:exec commands :
        $SPLUNK_HOME/etc/apps/splunk_instrumentation/bin/instrumentation.py

        $SPLUNK_HOME/etc/apps/splunk_instrumentation/bin/on_splunk_start.py
                exit status description = exited with code 0
                time closed = 2019-06-02T18:43:21+0900
                time opened = 2019-06-02T18:43:10+0900

        $SPLUNK_HOME/etc/apps/splunk_instrumentation/bin/schedule_delete.py

        ./bin/collector.path
                time opened = 2019-06-02T18:43:07+0900

        ./bin/dmc_config.py
                exit status description = exited with code 0
                time closed = 2019-06-02T18:43:13+0900
                time opened = 2019-06-02T18:43:12+0900

Raw:tcp :
        tcp

TailingProcessor:FileStatus :
        $SPLUNK_HOME/etc/splunk.version
                file position = 71
                file size = 71
                percent = 100.00
                type = finished reading

調査用のファイルを取得できるコマンド

サポートにケースをあげる時や、調査する時に必ず必須のコマンド。事前に取得した上でサポートにチケットあげた方が絶対にいいというかそうすべき。

調査に必要なinternalogとかも含まれるよ。

[XXXXXX@XXXXXX-mbp-c9067] # /Applications/splunk/test/splunk/bin/splunk diag
Collecting components: conf_replication_summary, consensus, dispatch, etc, file_validate, index_files, index_listing, kvstore, log, pool, searchpeers, suppression_listing
Skipping components: rest
Selected diag name of: diag-xxxxx-mbp-c9067-2019-06-02_18-52-18
Starting splunk diag...
Logged search filtering is enabled.
Skipping REST endpoint gathering...
Determining diag-launching user...
Getting version info...
Getting system version info...
Getting file integrity info...
Getting network interface config info...
Getting splunk processes info...
Getting netstat output...
Getting info about memory, ulimits, cpu (on windows this takes a while)...
Getting etc/auth filenames...
Getting Sinkhole filenames...
Getting search peer bundles listings...
Getting conf replication summary listings...
Getting suppression files listings...
Getting KV Store listings...
Getting index listings...
Copying Splunk configuration files...
filtered out file '/Applications/splunk/test/splunk/etc/apps/splunk_archiver/java-bin/jars/thirdparty/hive_1_2/hive-exec-1.2.1.jar'  limit: 10485760  size: 20599029
filtered out file '/Applications/splunk/test/splunk/etc/apps/splunk_archiver/java-bin/jars/thirdparty/aws/aws-java-sdk-1.10.8.jar'  limit: 10485760  size: 21006573
The following certificates were excluded from the diag output automatically.
        /Applications/splunk/test/splunk/etc/auth/appsCA.pem
        /Applications/splunk/test/splunk/etc/auth/server.pem
        /Applications/splunk/test/splunk/etc/auth/cloudCA.pem
        /Applications/splunk/test/splunk/etc/auth/appsLicenseCA.pem
        /Applications/splunk/test/splunk/etc/auth/ca.pem
        /Applications/splunk/test/splunk/etc/auth/cacert.pem
        /Applications/splunk/test/splunk/etc/auth/distServerKeys/trusted.pem
        /Applications/splunk/test/splunk/etc/auth/distServerKeys/private.pem
        /Applications/splunk/test/splunk/etc/auth/audit/public.pem
        /Applications/splunk/test/splunk/etc/auth/audit/private.pem
        /Applications/splunk/test/splunk/etc/auth/splunkweb/cert.pem
        /Applications/splunk/test/splunk/etc/auth/splunkweb/privkey.pem
        /Applications/splunk/test/splunk/etc/apps/framework/contrib/requests/requests/cacert.pem
If you have any certs that were not auto-detected, please add them to an EXCLUDE rule in the [diag] stanza of server.conf.
Copying Splunk log files...
Copying Search Pool files...
Copying bucket info files...
Copying Splunk dispatch files...
Copying Splunk consensus files...
Adding manifest files...
Cleaning up...
Splunk diagnosis file created: /Applications/splunk/test/splunk/diag-sudagawa-mbp-c9067-2019-06-02_18-52-18.tar.gz
[XXXXXX@XXXXXX-mbp-c9067] #

あとはcluster関連のコマンドだけど、2つだけ覚えておけば大丈夫かな。

#Index clusterの場合
$SPLUNK_HOME/bin/splunk show cluster-bundle-status

#SHCの場合
$SPLUNK_HOME/bin/splunk show shcluster-status

 最後に

他にもいろいろあるけど、btoolが使えればある程度は状況把握できるはず。

saeoshi
Why not register and get more from Qiita?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away