Splunk手册学习之Knowledge Manager Manual-4

3.1.Workflow actions

About workflow actions in Splunk Web
you can define workflow actions that enable you to:

  • Perform an external WHOIS lookup based on an IP address found in an event
  • Use the field values in an HTTP error event to create a new entry in an external issue management system
  • Launch secondary searches that use one or more field values from selected events
  • Perform an external search (using Google or a similar web search application) on the value of a specific field found in an event.

Define workflow actions using Splunk Web
Settings > Fields > Workflow actions

Target workflow actions to a narrow grouping of events
Narrow workflow action scope by field
Narrow workflow action scope by event type
Set up a GET workflow action

  • Settings > Fields > Workflow Actions.
  • New to open up a new workflow action form
  • Define a Label for the action.
  • Determine whether the workflow action applies to specific fields or event types in your data.
  • For Show action in determine whether you want the action to appear in the Event menu, the Fields menus, or Both
  • Set Action type to link
  • In URI provide a URI for the location of the external resource that you want to send your field values to
  • Set the Link method to get.
  • Click Save to save your workflow action definition

Example - Google search from field values
In this example, we set the Label value to Google $topic$ because we have a field called topic

Use the $! prefix to prevent escape of URL or HTTP form field values

Set up a POST workflow action
the way of establishing is similar with above ,but only one tip is different
after setting Link method to Post
Under Post arguments define arguments that should be sent to web resource at the identified URI
Example - Allow an http error to create an entry in an issue tracking application

Use the $! prefix to prevent escape of URL or HTTP form field values
Set up a search workflow action
Example - Launch a secondary search that finds errors originating from a specific Ruby On Rails controller

  • On the Workflow actions detail page, set up an action with the following Label: See other errors for controller $controller$ over past 24h.
  • Set Action type to Search.
  • Enter the following Search string: sourcetype=rails controller=$controller$ error=*
  • Set an Earliest time of -24h. Leave Latest time blank
  • Using the Apply only to the following...

Control workflow action appearance in field and event menus
To select event-level workflow actions:

  • Run a search.
  • Go to the Events tab
  • Expand an event in your search results and click Event Actions

You can arrange for workflow actions to be event-level (meaning they apply to an entire event), field-level (meaning they apply to specific fields within events)

Use special parameters in workflow actions

  • @field_name
  • @field_value

The other special parameters are:

  • @sid
  • @offset
  • @namespace
  • @latest_time

3.2.Search macros

Search macros are reusable chunks of Search Processing Language (SPL) that you can insert into other searches
Use search macros in searches
Insert search macros into search strings

sourcetype=access_* | `mymacro`

Preview search macros in search strings
Search macros that contain generating commands

| `mygeneratingmacro`

When search macros take arguments

`mymacro("He said \"hello!\"")`

Your search macro definition can include the following:

  • A validation expression that determines whether the arguments you enter are valid
  • A validation error message that appears when you provide invalid arguments

Define search macros in Settings

  • Settings > Advanced Search > Search macros.
  • Click New to create a search macro.
  • Enter a unique Name for the search macro
  • In Definition, enter the search string that the macro expands to when you reference it in another search

Design a search macro definition
The fundamental part of a search macro is its definition, which is the SPL chunk that the macro expands to when you reference it in another search
Pipe characters and generating commands in macro definitions
you have a search macro named mygeneratingmacro that has the following definition

tstats latest(_time) as latest where index!=filemon by index host source sourcetype
| `mygeneratingmacro`

Validate search macro arguments

  • Validation expression
  • Validation error message

Search macro examples
Simple search macro with argument

sourcetype="iis" cs_username!="-" /$fragment$/ .pdf

In the Arguments field, enter fragment as the argument
Click Save.

You can insert iis_search(fragment=TM) into your search string to call the search macro for the TM fragment

Preview your search to see the contents of your macro
Use the the search preview feature to see the contents of search macros that are embedded within the search, without actually running the search

Combine search macros and transactions
the definition of makesessions:

transaction clientip maxpause=30m

search uses the makesessions search macro to take web traffic events and break them into sessions:

sourcetype=access_* | `makesessions`

The following search uses the makesessions search macro to return a report of the number of pageviews per session for each day:

sourcetype=access_* | `makesessions` | timechart span=1d sum(eventcount) as pageviews count as sessions
sourcetype=access_* | `makesessions` | timechart $span$ sum(eventcount) as pageviews count as sessions

Validate arguments to determine whether they are numeric
Settings > Advanced Search > Search Macros
Click New to create a new search macro
For Name, enter newrate(2). The (2) indicates that the macro contains two arguments
For Definiton, enter the following

eval new_rate=$val$*$rate$

For the Argument field, enter val and rate
Enter a Validation expression
Enter the following Validation error message
Click Save