Add first splunk tutorials

author: mjfernez <mjf@mjfer.net> 2023-10-22 21:59:40 -0400
committer: mjfernez <mjf@mjfer.net> 2023-10-22 21:59:40 -0400
commit: bcf5aeb7b77ae0d0c376c99249b60ab151f9d19c (patch)
tree: e5c915bd40b9908c9052d49c80c228213de3ba44 /tutorials
parent: 3fb681e48ae75f0e7b00075a2caf61e66582a973 (diff)
download: site-files-bcf5aeb7b77ae0d0c376c99249b60ab151f9d19c.tar.gz
3 files changed, 454 insertions, 0 deletions
diff --git a/tutorials/splunk/.description b/tutorials/splunk/.description
new file mode 100644
index 0000000..699b696
--- /dev/null
+++ b/tutorials/splunk/.description
@@ -0,0 +1,3 @@
+I use splunk a whole lot at work. As far as docs go they're not bad
+but sometimes you just gotta learn trhough comment sections. For
+questions that might not have a comment section, those answers are here
diff --git a/tutorials/splunk/i-found-out-splunk-macros-are-awesome.html b/tutorials/splunk/i-found-out-splunk-macros-are-awesome.html
new file mode 100644
index 0000000..10e8567
--- /dev/null
+++ b/tutorials/splunk/i-found-out-splunk-macros-are-awesome.html
@@ -0,0 +1,201 @@
+<!DOCTYPE html>
+<html lang="" xml:lang="" xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<meta charset="utf-8"/>
+<meta content="pandoc" name="generator"/>
+<meta content="width=device-width, initial-scale=1.0, user-scalable=yes" name="viewport"/>
+<title>i-found-out-splunk-macros-are-awesome</title>
+<style>
+    html {
+      line-height: 1.5;
+      font-family: Georgia, serif;
+      font-size: 20px;
+      color: #1a1a1a;
+      background-color: #fdfdfd;
+    }
+    body {
+      margin: 0 auto;
+      max-width: 36em;
+      padding-left: 50px;
+      padding-right: 50px;
+      padding-top: 50px;
+      padding-bottom: 50px;
+      hyphens: auto;
+      overflow-wrap: break-word;
+      text-rendering: optimizeLegibility;
+      font-kerning: normal;
+    }
+    @media (max-width: 600px) {
+      body {
+        font-size: 0.9em;
+        padding: 1em;
+      }
+      h1 {
+        font-size: 1.8em;
+      }
+    }
+    @media print {
+      body {
+        background-color: transparent;
+        color: black;
+        font-size: 12pt;
+      }
+      p, h2, h3 {
+        orphans: 3;
+        widows: 3;
+      }
+      h2, h3, h4 {
+        page-break-after: avoid;
+      }
+    }
+    p {
+      margin: 1em 0;
+    }
+    a {
+      color: #1a1a1a;
+    }
+    a:visited {
+      color: #1a1a1a;
+    }
+    img {
+      max-width: 100%;
+    }
+    h1, h2, h3, h4, h5, h6 {
+      margin-top: 1.4em;
+    }
+    h5, h6 {
+      font-size: 1em;
+      font-style: italic;
+    }
+    h6 {
+      font-weight: normal;
+    }
+    ol, ul {
+      padding-left: 1.7em;
+      margin-top: 1em;
+    }
+    li > ol, li > ul {
+      margin-top: 0;
+    }
+    blockquote {
+      margin: 1em 0 1em 1.7em;
+      padding-left: 1em;
+      border-left: 2px solid #e6e6e6;
+      color: #606060;
+    }
+    code {
+      font-family: Menlo, Monaco, 'Lucida Console', Consolas, monospace;
+      font-size: 85%;
+      margin: 0;
+    }
+    pre {
+      margin: 1em 0;
+      overflow: auto;
+    }
+    pre code {
+      padding: 0;
+      overflow: visible;
+      overflow-wrap: normal;
+    }
+    .sourceCode {
+     background-color: transparent;
+     overflow: visible;
+    }
+    hr {
+      background-color: #1a1a1a;
+      border: none;
+      height: 1px;
+      margin: 1em 0;
+    }
+    table {
+      margin: 1em 0;
+      border-collapse: collapse;
+      width: 100%;
+      overflow-x: auto;
+      display: block;
+      font-variant-numeric: lining-nums tabular-nums;
+    }
+    table caption {
+      margin-bottom: 0.75em;
+    }
+    tbody {
+      margin-top: 0.5em;
+      border-top: 1px solid #1a1a1a;
+      border-bottom: 1px solid #1a1a1a;
+    }
+    th {
+      border-top: 1px solid #1a1a1a;
+      padding: 0.25em 0.5em 0.25em 0.5em;
+    }
+    td {
+      padding: 0.125em 0.5em 0.25em 0.5em;
+    }
+    header {
+      margin-bottom: 4em;
+      text-align: center;
+    }
+    #TOC li {
+      list-style: none;
+    }
+    #TOC ul {
+      padding-left: 1.3em;
+    }
+    #TOC > ul {
+      padding-left: 0;
+    }
+    #TOC a:not(:hover) {
+      text-decoration: none;
+    }
+    code{white-space: pre-wrap;}
+    span.smallcaps{font-variant: small-caps;}
+    span.underline{text-decoration: underline;}
+    div.column{display: inline-block; vertical-align: top; width: 50%;}
+    div.hanging-indent{margin-left: 1.5em; text-indent: -1.5em;}
+    ul.task-list{list-style: none;}
+    .display.math{display: block; text-align: center; margin: 0.5rem auto;}
+  </style>
+</head>
+<body>
+<p>Macros are for more than just canned searches.</p>
+<p>If you've never seen a macro before, read the doc page here:</p>
+<p>https://docs.splunk.com/Documentation/Splunk/9.0.2/Knowledge/Definesearchmacros</p>
+<p>What that doc page doesn't tell you is that you need not just stick
+any old complicated search in there. If you know how to use
+<code>eval</code> you can stick any resulting text anywhere you
+want.</p>
+<p>Take for example, timestamping your output lookups. Let's say I have
+a report that runs every 12 hours that I output to a lookup called
+"vpn_users.csv," which contains all users who logged on to VPN in that
+time. That report might look something like this:</p>
+<pre class="spl"><code>index=syslog sourcetype=vpn
+    | table _time username 
+    | outputlookup vpn_users.csv</code></pre>
+<p>I can easily review that lookup like so:</p>
+<p><code>| inputlookup vpn_users.csv</code></p>
+<p>My boss might be happy that I'm keeping an eye on things, but what's
+the historical picture? How do I know what's a red flag and what isn't?
+What I might do is combine all of the days reports into one each day,
+and then compare each today. But in the original report logic, this gets
+overwritten every 12 hours. You could just append forever, but then
+you're not looking at just twelve hours, unless you add a time
+constraint to your search. How do I get to a daily report without
+interrupting the reports already running?</p>
+<p>One way to do it is to create a second combined report unique to that
+day, for example 'vpn_users-2022_11_17.csv'. The way you insert that
+text is with a macro, defined for the current date. For this particular
+format, I can define a macro called <code>today</code> with the
+following definition, which just gets the current time and formats
+it:</p>
+<p><code>strftime(now(), "%Y-%m-%d")</code></p>
+<p>Now I literally just stick it to the end of my original search, and
+set the lookup file to append, so we <em>add</em> new values rather than
+overwrite them:</p>
+<pre class="spl"><code>index=syslog sourcetype=vpn
+    | table _time username 
+    | outputlookup vpn_users.csv
+    | outputlookup append=t vpn_users-`today`.csv</code></pre>
+<p>That's just a super obvious implementation though; there's all sorts
+of ways you might want to tag your lookups for ease of access.</p>
+</body>
+</html>
+
diff --git a/tutorials/www/how-to-use-the-internet.html b/tutorials/www/how-to-use-the-internet.html
new file mode 100644
index 0000000..67a020e
--- /dev/null
+++ b/tutorials/www/how-to-use-the-internet.html
@@ -0,0 +1,250 @@
+<!DOCTYPE html>
+<html lang="" xml:lang="" xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<meta charset="utf-8"/>
+<meta content="pandoc" name="generator"/>
+<meta content="width=device-width, initial-scale=1.0, user-scalable=yes" name="viewport"/>
+<title>how-to-use-the-internet</title>
+<style>
+    html {
+      line-height: 1.5;
+      font-family: Georgia, serif;
+      font-size: 20px;
+      color: #1a1a1a;
+      background-color: #fdfdfd;
+    }
+    body {
+      margin: 0 auto;
+      max-width: 36em;
+      padding-left: 50px;
+      padding-right: 50px;
+      padding-top: 50px;
+      padding-bottom: 50px;
+      hyphens: auto;
+      overflow-wrap: break-word;
+      text-rendering: optimizeLegibility;
+      font-kerning: normal;
+    }
+    @media (max-width: 600px) {
+      body {
+        font-size: 0.9em;
+        padding: 1em;
+      }
+      h1 {
+        font-size: 1.8em;
+      }
+    }
+    @media print {
+      body {
+        background-color: transparent;
+        color: black;
+        font-size: 12pt;
+      }
+      p, h2, h3 {
+        orphans: 3;
+        widows: 3;
+      }
+      h2, h3, h4 {
+        page-break-after: avoid;
+      }
+    }
+    p {
+      margin: 1em 0;
+    }
+    a {
+      color: #1a1a1a;
+    }
+    a:visited {
+      color: #1a1a1a;
+    }
+    img {
+      max-width: 100%;
+    }
+    h1, h2, h3, h4, h5, h6 {
+      margin-top: 1.4em;
+    }
+    h5, h6 {
+      font-size: 1em;
+      font-style: italic;
+    }
+    h6 {
+      font-weight: normal;
+    }
+    ol, ul {
+      padding-left: 1.7em;
+      margin-top: 1em;
+    }
+    li > ol, li > ul {
+      margin-top: 0;
+    }
+    blockquote {
+      margin: 1em 0 1em 1.7em;
+      padding-left: 1em;
+      border-left: 2px solid #e6e6e6;
+      color: #606060;
+    }
+    code {
+      font-family: Menlo, Monaco, 'Lucida Console', Consolas, monospace;
+      font-size: 85%;
+      margin: 0;
+    }
+    pre {
+      margin: 1em 0;
+      overflow: auto;
+    }
+    pre code {
+      padding: 0;
+      overflow: visible;
+      overflow-wrap: normal;
+    }
+    .sourceCode {
+     background-color: transparent;
+     overflow: visible;
+    }
+    hr {
+      background-color: #1a1a1a;
+      border: none;
+      height: 1px;
+      margin: 1em 0;
+    }
+    table {
+      margin: 1em 0;
+      border-collapse: collapse;
+      width: 100%;
+      overflow-x: auto;
+      display: block;
+      font-variant-numeric: lining-nums tabular-nums;
+    }
+    table caption {
+      margin-bottom: 0.75em;
+    }
+    tbody {
+      margin-top: 0.5em;
+      border-top: 1px solid #1a1a1a;
+      border-bottom: 1px solid #1a1a1a;
+    }
+    th {
+      border-top: 1px solid #1a1a1a;
+      padding: 0.25em 0.5em 0.25em 0.5em;
+    }
+    td {
+      padding: 0.125em 0.5em 0.25em 0.5em;
+    }
+    header {
+      margin-bottom: 4em;
+      text-align: center;
+    }
+    #TOC li {
+      list-style: none;
+    }
+    #TOC ul {
+      padding-left: 1.3em;
+    }
+    #TOC > ul {
+      padding-left: 0;
+    }
+    #TOC a:not(:hover) {
+      text-decoration: none;
+    }
+    code{white-space: pre-wrap;}
+    span.smallcaps{font-variant: small-caps;}
+    span.underline{text-decoration: underline;}
+    div.column{display: inline-block; vertical-align: top; width: 50%;}
+    div.hanging-indent{margin-left: 1.5em; text-indent: -1.5em;}
+    ul.task-list{list-style: none;}
+    .display.math{display: block; text-align: center; margin: 0.5rem auto;}
+  </style>
+</head>
+<body>
+<nav id="TOC" role="doc-toc">
+<h2 id="toc-title">Contents</h2>
+<ul>
+<li><a href="#why" target="_self">Why?</a></li>
+<li><a href="#how-to-use-a-web-browser" target="_self">How to use a web
+browser</a></li>
+<li><a href="#how-to-use-a-search-engine" target="_self">How to use a search
+engine</a></li>
+<li><a href="#how-to-read-and-find-scholarly-articles" target="_self">How to read and
+find scholarly articles</a>
+<ul>
+<li><a href="#how-to-use-wikipedia" target="_self">How to use Wikipedia</a></li>
+<li><a href="#how-to-find-articles-with-google-scholar" target="_self">How to find
+articles with Google Scholar</a></li>
+</ul></li>
+<li><a href="#advanced-topics" target="_self">Advanced Topics</a>
+<ul>
+<li><a href="#how-to-use-tor-to-browse-anonymously" target="_self">How to use tor to
+browse anonymously</a></li>
+</ul></li>
+</ul>
+</nav>
+<h2 id="why">Why?</h2>
+<p>Why <em>would</em> anyone want to use the Internet, really?</p>
+<p>There is actually purpose to connecting all the computers in the
+world with near-instant speed beyond just streaming television, phishing
+scams, pornography, punditry, and Fortnight competitions.</p>
+<p>Unfortunately, almost none of us use the Internet for it's intended
+purpose: finding infomation.</p>
+<p>Writing an angry tweet to a celebrity or posting a picture of your
+cat seems to be second nature for most people, but converting a picture
+from a PDF or looking up a study (or even a word!) you saw in an article
+is something else entirely.</p>
+<p>While that's in part the fault of our laziness, it's equally the
+fault of what the Internet has become.</p>
+<p>For one: there's just so much more <em>stuff</em> now; it's hard to
+know exactly where to start and who to trust. And so much of that stuff
+is now <em>garbage</em>, either in the way it's presented, with
+disruptive ads that don't close correctly, or in the way it's written:
+vague, misleading, or straight incorrect.</p>
+<p>For two: no one really teaches you how to use this thing do they?
+There are no courses on "How to use a search engine" or "How to find
+good posts on a forum," and definitely not on "How to <em>write</em>
+good posts on a forum." But these are exactly the kinds of skills you
+really need if you want to navigate the modern world without getting
+constantly distracted, misled, or totally lost.</p>
+<p>There are of course, countless guides on "netiquette" geared towards
+every possible internet subculture you can find. While many of them have
+influenced this document and give many helpful tips on writing good
+informative posts, none of them really go over what I think is most
+important: what to do with the information you're reading.</p>
+<p>This will probably be an evolving document as new services and
+websites become available (or go down), but much of this material in the
+beginning should be pretty generally applicable no matter what services
+are available.</p>
+<h2 id="how-to-use-a-web-browser">How to use a web browser</h2>
+<h2 id="how-to-use-a-search-engine">How to use a search engine</h2>
+<p>As for which search engine to use: you should use all of them, until
+you get the results you need.</p>
+<p>In my experience, none of the major search engines are particularly
+good and I get inconsistent searches on all of them depending on what
+I'm searching. There is a lot of preaching these days about privacy
+concerns, but I don't really believe any service is more "private" than
+another. These are all privacy nightmares, arguably by design. Your best
+bet is just to search often and as many platforms as you can.</p>
+<h2 id="how-to-read-and-find-scholarly-articles">How to read and find
+scholarly articles</h2>
+<h3 id="how-to-use-wikipedia">How to use Wikipedia</h3>
+<p>A common complaint lodged at me whenever I recommend Wikipedia is
+that it's not a source of truth since they found X mistake somewhere, or
+made Y edit when they were a teenager that's still there. No one has
+ever (or should ever) claim Wikipedia is a source of truth on it's own.
+But you can use it to find more sources and maybe get a little
+closer.</p>
+<h3 id="how-to-find-articles-with-google-scholar">How to find articles
+with Google Scholar</h3>
+<h2 id="advanced-topics">Advanced Topics</h2>
+<h3 id="how-to-use-tor-to-browse-anonymously">How to use tor to browse
+anonymously</h3>
+<p>Many in the advertising world will boast about using a VPN for
+anonymity, or using a VPN in conjuction with Tor to "increase privacy."
+This is simply a misunderstanding of terms. A VPN provides
+<em>privacy</em> of the user's connection since it provides
+encryption--only the VPN provider can "see" what is searched. The goal
+of Tor is <em>anonymity</em> not privacy. Anonymity means "no one knows
+who you are" not "no one knows what you're doing." Technically, traffic
+is encrypted between nodes of the Tor service, so some level of privacy
+is provided as well, but this is most effective when using hidden
+services, not using Tor in general.</p>
+</body>
+</html>
+
author	mjfernez <mjf@mjfer.net>	2023-10-22 21:59:40 -0400
committer	mjfernez <mjf@mjfer.net>	2023-10-22 21:59:40 -0400
commit	bcf5aeb7b77ae0d0c376c99249b60ab151f9d19c (patch)
tree	e5c915bd40b9908c9052d49c80c228213de3ba44 /tutorials
parent	3fb681e48ae75f0e7b00075a2caf61e66582a973 (diff)
download	site-files-bcf5aeb7b77ae0d0c376c99249b60ab151f9d19c.tar.gz