Splunk 相关命令使用

1. 系统监控常见命令

1.1 查看证书每天使用情况

index="_internal" source="*/license_usage.log" 
| where isnotnull(idx) 
| eval index_sourcetype = idx + ":" + st + " (MB)"
| eval size = round(b / (1024 * 1024),3)
| timechart span=1d sum(size) as size BY index_sourcetype