diff options
Diffstat (limited to '.md/tutorials/splunk')
-rw-r--r-- | .md/tutorials/splunk/.description | 3 | ||||
-rw-r--r-- | .md/tutorials/splunk/i-found-out-splunk-macros-are-awesome.md | 56 |
2 files changed, 59 insertions, 0 deletions
diff --git a/.md/tutorials/splunk/.description b/.md/tutorials/splunk/.description new file mode 100644 index 0000000..699b696 --- /dev/null +++ b/.md/tutorials/splunk/.description @@ -0,0 +1,3 @@ +I use splunk a whole lot at work. As far as docs go they're not bad +but sometimes you just gotta learn trhough comment sections. For +questions that might not have a comment section, those answers are here diff --git a/.md/tutorials/splunk/i-found-out-splunk-macros-are-awesome.md b/.md/tutorials/splunk/i-found-out-splunk-macros-are-awesome.md new file mode 100644 index 0000000..5b9cff7 --- /dev/null +++ b/.md/tutorials/splunk/i-found-out-splunk-macros-are-awesome.md @@ -0,0 +1,56 @@ +Macros are for more than just canned searches. + +If you've never seen a macro before, read the doc page here: + +https://docs.splunk.com/Documentation/Splunk/9.0.2/Knowledge/Definesearchmacros + +What that doc page doesn't tell you is that you need not just stick +any old complicated search in there. If you know how to use `eval` +you can stick any resulting text anywhere you want. + +Take for example, timestamping your output lookups. Let's say +I have a report that runs every 12 hours that I output to a lookup +called "vpn_users.csv," which contains all users who logged on to VPN +in that time. That report might look something like this: + +```SPL +index=syslog sourcetype=vpn + | table _time username + | outputlookup vpn_users.csv +``` + +I can easily review that lookup like so: + +`| inputlookup vpn_users.csv` + +My boss might be happy that I'm keeping an eye on things, but +what's the historical picture? How do I know what's a red flag +and what isn't? What I might do is combine all of the days reports +into one each day, and then compare each today. But in the original +report logic, this gets overwritten every 12 hours. You could just +append forever, but then you're not looking at just twelve hours, +unless you add a time constraint to your search. How do I get to +a daily report without interrupting the reports already running? + +One way to do it is to create a second combined report unique to +that day, for example 'vpn_users-2022_11_17.csv'. The way you +insert that text is with a macro, defined for the current date. +For this particular format, I can define a macro called `today` +with the following definition, which just gets the current time +and formats it: + +`strftime(now(), "%Y-%m-%d")` + +Now I literally just stick it to the end of my original search, and +set the lookup file to append, so we *add* new values rather than +overwrite them: + +```SPL +index=syslog sourcetype=vpn + | table _time username + | outputlookup vpn_users.csv + | outputlookup append=t vpn_users-`today`.csv +``` + +That's just a super obvious implementation though; there's all sorts of +ways you might want to tag your lookups for ease of access. |