1 files changed, 9 insertions, 6 deletions

diff --git a/.md/tutorials/splunk/i-found-out-splunk-macros-are-awesome.md b/.md/tutorials/splunk/i-found-out-splunk-macros-are-awesome.md
index 5b9cff7..0ed3842 100644
--- a/.md/tutorials/splunk/i-found-out-splunk-macros-are-awesome.md
+++ b/.md/tutorials/splunk/i-found-out-splunk-macros-are-awesome.md
@@ -25,12 +25,15 @@ I can easily review that lookup like so:
 
 My boss might be happy that I'm keeping an eye on things, but
 what's the historical picture? How do I know what's a red flag
-and what isn't? What I might do is combine all of the days reports
-into one each day, and then compare each today. But in the original
-report logic, this gets overwritten every 12 hours. You could just
-append forever, but then you're not looking at just twelve hours,
-unless you add a time constraint to your search. How do I get to
-a daily report without interrupting the reports already running?
+and what isn't?
+
+What I might do is combine all of the days' reports
+into one each day, and then compare each one to today's. But
+in the original report logic, this gets overwritten every
+12 hours. You could just append forever, but then you're not
+looking at just twelve hours, unless you add a time constraint
+to your search. How do I get to a daily report without interrupting
+the reports already running?
 
 One way to do it is to create a second combined report unique to
 that day, for example 'vpn_users-2022_11_17.csv'. The way you