diff options
Diffstat (limited to '.md/tutorials/splunk/i-found-out-splunk-macros-are-awesome.md')
| -rw-r--r-- | .md/tutorials/splunk/i-found-out-splunk-macros-are-awesome.md | 15 |
1 files changed, 9 insertions, 6 deletions
diff --git a/.md/tutorials/splunk/i-found-out-splunk-macros-are-awesome.md b/.md/tutorials/splunk/i-found-out-splunk-macros-are-awesome.md index 5b9cff7..0ed3842 100644 --- a/.md/tutorials/splunk/i-found-out-splunk-macros-are-awesome.md +++ b/.md/tutorials/splunk/i-found-out-splunk-macros-are-awesome.md @@ -25,12 +25,15 @@ I can easily review that lookup like so: My boss might be happy that I'm keeping an eye on things, but what's the historical picture? How do I know what's a red flag -and what isn't? What I might do is combine all of the days reports -into one each day, and then compare each today. But in the original -report logic, this gets overwritten every 12 hours. You could just -append forever, but then you're not looking at just twelve hours, -unless you add a time constraint to your search. How do I get to -a daily report without interrupting the reports already running? +and what isn't? + +What I might do is combine all of the days' reports +into one each day, and then compare each one to today's. But +in the original report logic, this gets overwritten every +12 hours. You could just append forever, but then you're not +looking at just twelve hours, unless you add a time constraint +to your search. How do I get to a daily report without interrupting +the reports already running? One way to do it is to create a second combined report unique to that day, for example 'vpn_users-2022_11_17.csv'. The way you |