Add first splunk tutorials

2 files changed, 59 insertions, 0 deletions

diff --git a/.md/tutorials/splunk/.description b/.md/tutorials/splunk/.description
new file mode 100644
index 0000000..699b696
--- /dev/null
+++ b/.md/tutorials/splunk/.description
@@ -0,0 +1,3 @@
+I use splunk a whole lot at work. As far as docs go they're not bad
+but sometimes you just gotta learn trhough comment sections. For
+questions that might not have a comment section, those answers are here
diff --git a/.md/tutorials/splunk/i-found-out-splunk-macros-are-awesome.md b/.md/tutorials/splunk/i-found-out-splunk-macros-are-awesome.md
new file mode 100644
index 0000000..5b9cff7
--- /dev/null
+++ b/.md/tutorials/splunk/i-found-out-splunk-macros-are-awesome.md
@@ -0,0 +1,56 @@
+Macros are for more than just canned searches.
+
+If you've never seen a macro before, read the doc page here:
+
+https://docs.splunk.com/Documentation/Splunk/9.0.2/Knowledge/Definesearchmacros
+
+What that doc page doesn't tell you is that you need not just stick
+any old complicated search in there. If you know how to use `eval`
+you can stick any resulting text anywhere you want.
+
+Take for example, timestamping your output lookups. Let's say
+I have a report that runs every 12 hours that I output to a lookup
+called "vpn_users.csv," which contains all users who logged on to VPN
+in that time. That report might look something like this:
+
+```SPL
+index=syslog sourcetype=vpn
+    | table _time username 
+    | outputlookup vpn_users.csv
+```
+
+I can easily review that lookup like so:
+
+`| inputlookup vpn_users.csv`
+
+My boss might be happy that I'm keeping an eye on things, but
+what's the historical picture? How do I know what's a red flag
+and what isn't? What I might do is combine all of the days reports
+into one each day, and then compare each today. But in the original
+report logic, this gets overwritten every 12 hours. You could just
+append forever, but then you're not looking at just twelve hours,
+unless you add a time constraint to your search. How do I get to
+a daily report without interrupting the reports already running?
+
+One way to do it is to create a second combined report unique to
+that day, for example 'vpn_users-2022_11_17.csv'. The way you
+insert that text is with a macro, defined for the current date.
+For this particular format, I can define a macro called `today`
+with the following definition, which just gets the current time
+and formats it:
+
+`strftime(now(), "%Y-%m-%d")`
+
+Now I literally just stick it to the end of my original search, and
+set the lookup file to append, so we *add* new values rather than
+overwrite them:
+
+```SPL
+index=syslog sourcetype=vpn
+    | table _time username 
+    | outputlookup vpn_users.csv
+    | outputlookup append=t vpn_users-`today`.csv
+```
+
+That's just a super obvious implementation though; there's all sorts of
+ways you might want to tag your lookups for ease of access.