diff options
| -rw-r--r-- | .md/tutorials/splunk/.description | 3 | ||||
| -rw-r--r-- | .md/tutorials/splunk/i-found-out-splunk-macros-are-awesome.md | 56 | ||||
| -rw-r--r-- | tutorials/splunk/.description | 3 | ||||
| -rw-r--r-- | tutorials/splunk/i-found-out-splunk-macros-are-awesome.html | 201 | ||||
| -rw-r--r-- | tutorials/www/how-to-use-the-internet.html | 250 |
5 files changed, 513 insertions, 0 deletions
diff --git a/.md/tutorials/splunk/.description b/.md/tutorials/splunk/.description new file mode 100644 index 0000000..699b696 --- /dev/null +++ b/.md/tutorials/splunk/.description @@ -0,0 +1,3 @@ +I use splunk a whole lot at work. As far as docs go they're not bad +but sometimes you just gotta learn trhough comment sections. For +questions that might not have a comment section, those answers are here diff --git a/.md/tutorials/splunk/i-found-out-splunk-macros-are-awesome.md b/.md/tutorials/splunk/i-found-out-splunk-macros-are-awesome.md new file mode 100644 index 0000000..5b9cff7 --- /dev/null +++ b/.md/tutorials/splunk/i-found-out-splunk-macros-are-awesome.md @@ -0,0 +1,56 @@ +Macros are for more than just canned searches. + +If you've never seen a macro before, read the doc page here: + +https://docs.splunk.com/Documentation/Splunk/9.0.2/Knowledge/Definesearchmacros + +What that doc page doesn't tell you is that you need not just stick +any old complicated search in there. If you know how to use `eval` +you can stick any resulting text anywhere you want. + +Take for example, timestamping your output lookups. Let's say +I have a report that runs every 12 hours that I output to a lookup +called "vpn_users.csv," which contains all users who logged on to VPN +in that time. That report might look something like this: + +```SPL +index=syslog sourcetype=vpn + | table _time username + | outputlookup vpn_users.csv +``` + +I can easily review that lookup like so: + +`| inputlookup vpn_users.csv` + +My boss might be happy that I'm keeping an eye on things, but +what's the historical picture? How do I know what's a red flag +and what isn't? What I might do is combine all of the days reports +into one each day, and then compare each today. But in the original +report logic, this gets overwritten every 12 hours. You could just +append forever, but then you're not looking at just twelve hours, +unless you add a time constraint to your search. How do I get to +a daily report without interrupting the reports already running? + +One way to do it is to create a second combined report unique to +that day, for example 'vpn_users-2022_11_17.csv'. The way you +insert that text is with a macro, defined for the current date. +For this particular format, I can define a macro called `today` +with the following definition, which just gets the current time +and formats it: + +`strftime(now(), "%Y-%m-%d")` + +Now I literally just stick it to the end of my original search, and +set the lookup file to append, so we *add* new values rather than +overwrite them: + +```SPL +index=syslog sourcetype=vpn + | table _time username + | outputlookup vpn_users.csv + | outputlookup append=t vpn_users-`today`.csv +``` + +That's just a super obvious implementation though; there's all sorts of +ways you might want to tag your lookups for ease of access. diff --git a/tutorials/splunk/.description b/tutorials/splunk/.description new file mode 100644 index 0000000..699b696 --- /dev/null +++ b/tutorials/splunk/.description @@ -0,0 +1,3 @@ +I use splunk a whole lot at work. As far as docs go they're not bad +but sometimes you just gotta learn trhough comment sections. For +questions that might not have a comment section, those answers are here diff --git a/tutorials/splunk/i-found-out-splunk-macros-are-awesome.html b/tutorials/splunk/i-found-out-splunk-macros-are-awesome.html new file mode 100644 index 0000000..10e8567 --- /dev/null +++ b/tutorials/splunk/i-found-out-splunk-macros-are-awesome.html @@ -0,0 +1,201 @@ +<!DOCTYPE html> +<html lang="" xml:lang="" xmlns="http://www.w3.org/1999/xhtml"> +<head> +<meta charset="utf-8"/> +<meta content="pandoc" name="generator"/> +<meta content="width=device-width, initial-scale=1.0, user-scalable=yes" name="viewport"/> +<title>i-found-out-splunk-macros-are-awesome</title> +<style> + html { + line-height: 1.5; + font-family: Georgia, serif; + font-size: 20px; + color: #1a1a1a; + background-color: #fdfdfd; + } + body { + margin: 0 auto; + max-width: 36em; + padding-left: 50px; + padding-right: 50px; + padding-top: 50px; + padding-bottom: 50px; + hyphens: auto; + overflow-wrap: break-word; + text-rendering: optimizeLegibility; + font-kerning: normal; + } + @media (max-width: 600px) { + body { + font-size: 0.9em; + padding: 1em; + } + h1 { + font-size: 1.8em; + } + } + @media print { + body { + background-color: transparent; + color: black; + font-size: 12pt; + } + p, h2, h3 { + orphans: 3; + widows: 3; + } + h2, h3, h4 { + page-break-after: avoid; + } + } + p { + margin: 1em 0; + } + a { + color: #1a1a1a; + } + a:visited { + color: #1a1a1a; + } + img { + max-width: 100%; + } + h1, h2, h3, h4, h5, h6 { + margin-top: 1.4em; + } + h5, h6 { + font-size: 1em; + font-style: italic; + } + h6 { + font-weight: normal; + } + ol, ul { + padding-left: 1.7em; + margin-top: 1em; + } + li > ol, li > ul { + margin-top: 0; + } + blockquote { + margin: 1em 0 1em 1.7em; + padding-left: 1em; + border-left: 2px solid #e6e6e6; + color: #606060; + } + code { + font-family: Menlo, Monaco, 'Lucida Console', Consolas, monospace; + font-size: 85%; + margin: 0; + } + pre { + margin: 1em 0; + overflow: auto; + } + pre code { + padding: 0; + overflow: visible; + overflow-wrap: normal; + } + .sourceCode { + background-color: transparent; + overflow: visible; + } + hr { + background-color: #1a1a1a; + border: none; + height: 1px; + margin: 1em 0; + } + table { + margin: 1em 0; + border-collapse: collapse; + width: 100%; + overflow-x: auto; + display: block; + font-variant-numeric: lining-nums tabular-nums; + } + table caption { + margin-bottom: 0.75em; + } + tbody { + margin-top: 0.5em; + border-top: 1px solid #1a1a1a; + border-bottom: 1px solid #1a1a1a; + } + th { + border-top: 1px solid #1a1a1a; + padding: 0.25em 0.5em 0.25em 0.5em; + } + td { + padding: 0.125em 0.5em 0.25em 0.5em; + } + header { + margin-bottom: 4em; + text-align: center; + } + #TOC li { + list-style: none; + } + #TOC ul { + padding-left: 1.3em; + } + #TOC > ul { + padding-left: 0; + } + #TOC a:not(:hover) { + text-decoration: none; + } + code{white-space: pre-wrap;} + span.smallcaps{font-variant: small-caps;} + span.underline{text-decoration: underline;} + div.column{display: inline-block; vertical-align: top; width: 50%;} + div.hanging-indent{margin-left: 1.5em; text-indent: -1.5em;} + ul.task-list{list-style: none;} + .display.math{display: block; text-align: center; margin: 0.5rem auto;} + </style> +</head> +<body> +<p>Macros are for more than just canned searches.</p> +<p>If you've never seen a macro before, read the doc page here:</p> +<p>https://docs.splunk.com/Documentation/Splunk/9.0.2/Knowledge/Definesearchmacros</p> +<p>What that doc page doesn't tell you is that you need not just stick +any old complicated search in there. If you know how to use +<code>eval</code> you can stick any resulting text anywhere you +want.</p> +<p>Take for example, timestamping your output lookups. Let's say I have +a report that runs every 12 hours that I output to a lookup called +"vpn_users.csv," which contains all users who logged on to VPN in that +time. That report might look something like this:</p> +<pre class="spl"><code>index=syslog sourcetype=vpn + | table _time username + | outputlookup vpn_users.csv</code></pre> +<p>I can easily review that lookup like so:</p> +<p><code>| inputlookup vpn_users.csv</code></p> +<p>My boss might be happy that I'm keeping an eye on things, but what's +the historical picture? How do I know what's a red flag and what isn't? +What I might do is combine all of the days reports into one each day, +and then compare each today. But in the original report logic, this gets +overwritten every 12 hours. You could just append forever, but then +you're not looking at just twelve hours, unless you add a time +constraint to your search. How do I get to a daily report without +interrupting the reports already running?</p> +<p>One way to do it is to create a second combined report unique to that +day, for example 'vpn_users-2022_11_17.csv'. The way you insert that +text is with a macro, defined for the current date. For this particular +format, I can define a macro called <code>today</code> with the +following definition, which just gets the current time and formats +it:</p> +<p><code>strftime(now(), "%Y-%m-%d")</code></p> +<p>Now I literally just stick it to the end of my original search, and +set the lookup file to append, so we <em>add</em> new values rather than +overwrite them:</p> +<pre class="spl"><code>index=syslog sourcetype=vpn + | table _time username + | outputlookup vpn_users.csv + | outputlookup append=t vpn_users-`today`.csv</code></pre> +<p>That's just a super obvious implementation though; there's all sorts +of ways you might want to tag your lookups for ease of access.</p> +</body> +</html> + diff --git a/tutorials/www/how-to-use-the-internet.html b/tutorials/www/how-to-use-the-internet.html new file mode 100644 index 0000000..67a020e --- /dev/null +++ b/tutorials/www/how-to-use-the-internet.html @@ -0,0 +1,250 @@ +<!DOCTYPE html> +<html lang="" xml:lang="" xmlns="http://www.w3.org/1999/xhtml"> +<head> +<meta charset="utf-8"/> +<meta content="pandoc" name="generator"/> +<meta content="width=device-width, initial-scale=1.0, user-scalable=yes" name="viewport"/> +<title>how-to-use-the-internet</title> +<style> + html { + line-height: 1.5; + font-family: Georgia, serif; + font-size: 20px; + color: #1a1a1a; + background-color: #fdfdfd; + } + body { + margin: 0 auto; + max-width: 36em; + padding-left: 50px; + padding-right: 50px; + padding-top: 50px; + padding-bottom: 50px; + hyphens: auto; + overflow-wrap: break-word; + text-rendering: optimizeLegibility; + font-kerning: normal; + } + @media (max-width: 600px) { + body { + font-size: 0.9em; + padding: 1em; + } + h1 { + font-size: 1.8em; + } + } + @media print { + body { + background-color: transparent; + color: black; + font-size: 12pt; + } + p, h2, h3 { + orphans: 3; + widows: 3; + } + h2, h3, h4 { + page-break-after: avoid; + } + } + p { + margin: 1em 0; + } + a { + color: #1a1a1a; + } + a:visited { + color: #1a1a1a; + } + img { + max-width: 100%; + } + h1, h2, h3, h4, h5, h6 { + margin-top: 1.4em; + } + h5, h6 { + font-size: 1em; + font-style: italic; + } + h6 { + font-weight: normal; + } + ol, ul { + padding-left: 1.7em; + margin-top: 1em; + } + li > ol, li > ul { + margin-top: 0; + } + blockquote { + margin: 1em 0 1em 1.7em; + padding-left: 1em; + border-left: 2px solid #e6e6e6; + color: #606060; + } + code { + font-family: Menlo, Monaco, 'Lucida Console', Consolas, monospace; + font-size: 85%; + margin: 0; + } + pre { + margin: 1em 0; + overflow: auto; + } + pre code { + padding: 0; + overflow: visible; + overflow-wrap: normal; + } + .sourceCode { + background-color: transparent; + overflow: visible; + } + hr { + background-color: #1a1a1a; + border: none; + height: 1px; + margin: 1em 0; + } + table { + margin: 1em 0; + border-collapse: collapse; + width: 100%; + overflow-x: auto; + display: block; + font-variant-numeric: lining-nums tabular-nums; + } + table caption { + margin-bottom: 0.75em; + } + tbody { + margin-top: 0.5em; + border-top: 1px solid #1a1a1a; + border-bottom: 1px solid #1a1a1a; + } + th { + border-top: 1px solid #1a1a1a; + padding: 0.25em 0.5em 0.25em 0.5em; + } + td { + padding: 0.125em 0.5em 0.25em 0.5em; + } + header { + margin-bottom: 4em; + text-align: center; + } + #TOC li { + list-style: none; + } + #TOC ul { + padding-left: 1.3em; + } + #TOC > ul { + padding-left: 0; + } + #TOC a:not(:hover) { + text-decoration: none; + } + code{white-space: pre-wrap;} + span.smallcaps{font-variant: small-caps;} + span.underline{text-decoration: underline;} + div.column{display: inline-block; vertical-align: top; width: 50%;} + div.hanging-indent{margin-left: 1.5em; text-indent: -1.5em;} + ul.task-list{list-style: none;} + .display.math{display: block; text-align: center; margin: 0.5rem auto;} + </style> +</head> +<body> +<nav id="TOC" role="doc-toc"> +<h2 id="toc-title">Contents</h2> +<ul> +<li><a href="#why" target="_self">Why?</a></li> +<li><a href="#how-to-use-a-web-browser" target="_self">How to use a web +browser</a></li> +<li><a href="#how-to-use-a-search-engine" target="_self">How to use a search +engine</a></li> +<li><a href="#how-to-read-and-find-scholarly-articles" target="_self">How to read and +find scholarly articles</a> +<ul> +<li><a href="#how-to-use-wikipedia" target="_self">How to use Wikipedia</a></li> +<li><a href="#how-to-find-articles-with-google-scholar" target="_self">How to find +articles with Google Scholar</a></li> +</ul></li> +<li><a href="#advanced-topics" target="_self">Advanced Topics</a> +<ul> +<li><a href="#how-to-use-tor-to-browse-anonymously" target="_self">How to use tor to +browse anonymously</a></li> +</ul></li> +</ul> +</nav> +<h2 id="why">Why?</h2> +<p>Why <em>would</em> anyone want to use the Internet, really?</p> +<p>There is actually purpose to connecting all the computers in the +world with near-instant speed beyond just streaming television, phishing +scams, pornography, punditry, and Fortnight competitions.</p> +<p>Unfortunately, almost none of us use the Internet for it's intended +purpose: finding infomation.</p> +<p>Writing an angry tweet to a celebrity or posting a picture of your +cat seems to be second nature for most people, but converting a picture +from a PDF or looking up a study (or even a word!) you saw in an article +is something else entirely.</p> +<p>While that's in part the fault of our laziness, it's equally the +fault of what the Internet has become.</p> +<p>For one: there's just so much more <em>stuff</em> now; it's hard to +know exactly where to start and who to trust. And so much of that stuff +is now <em>garbage</em>, either in the way it's presented, with +disruptive ads that don't close correctly, or in the way it's written: +vague, misleading, or straight incorrect.</p> +<p>For two: no one really teaches you how to use this thing do they? +There are no courses on "How to use a search engine" or "How to find +good posts on a forum," and definitely not on "How to <em>write</em> +good posts on a forum." But these are exactly the kinds of skills you +really need if you want to navigate the modern world without getting +constantly distracted, misled, or totally lost.</p> +<p>There are of course, countless guides on "netiquette" geared towards +every possible internet subculture you can find. While many of them have +influenced this document and give many helpful tips on writing good +informative posts, none of them really go over what I think is most +important: what to do with the information you're reading.</p> +<p>This will probably be an evolving document as new services and +websites become available (or go down), but much of this material in the +beginning should be pretty generally applicable no matter what services +are available.</p> +<h2 id="how-to-use-a-web-browser">How to use a web browser</h2> +<h2 id="how-to-use-a-search-engine">How to use a search engine</h2> +<p>As for which search engine to use: you should use all of them, until +you get the results you need.</p> +<p>In my experience, none of the major search engines are particularly +good and I get inconsistent searches on all of them depending on what +I'm searching. There is a lot of preaching these days about privacy +concerns, but I don't really believe any service is more "private" than +another. These are all privacy nightmares, arguably by design. Your best +bet is just to search often and as many platforms as you can.</p> +<h2 id="how-to-read-and-find-scholarly-articles">How to read and find +scholarly articles</h2> +<h3 id="how-to-use-wikipedia">How to use Wikipedia</h3> +<p>A common complaint lodged at me whenever I recommend Wikipedia is +that it's not a source of truth since they found X mistake somewhere, or +made Y edit when they were a teenager that's still there. No one has +ever (or should ever) claim Wikipedia is a source of truth on it's own. +But you can use it to find more sources and maybe get a little +closer.</p> +<h3 id="how-to-find-articles-with-google-scholar">How to find articles +with Google Scholar</h3> +<h2 id="advanced-topics">Advanced Topics</h2> +<h3 id="how-to-use-tor-to-browse-anonymously">How to use tor to browse +anonymously</h3> +<p>Many in the advertising world will boast about using a VPN for +anonymity, or using a VPN in conjuction with Tor to "increase privacy." +This is simply a misunderstanding of terms. A VPN provides +<em>privacy</em> of the user's connection since it provides +encryption--only the VPN provider can "see" what is searched. The goal +of Tor is <em>anonymity</em> not privacy. Anonymity means "no one knows +who you are" not "no one knows what you're doing." Technically, traffic +is encrypted between nodes of the Tor service, so some level of privacy +is provided as well, but this is most effective when using hidden +services, not using Tor in general.</p> +</body> +</html> + |