summaryrefslogtreecommitdiffstats
path: root/tutorials/splunk/i-found-out-splunk-macros-are-awesome.html
diff options
context:
space:
mode:
Diffstat (limited to 'tutorials/splunk/i-found-out-splunk-macros-are-awesome.html')
-rw-r--r--tutorials/splunk/i-found-out-splunk-macros-are-awesome.html201
1 files changed, 201 insertions, 0 deletions
diff --git a/tutorials/splunk/i-found-out-splunk-macros-are-awesome.html b/tutorials/splunk/i-found-out-splunk-macros-are-awesome.html
new file mode 100644
index 0000000..10e8567
--- /dev/null
+++ b/tutorials/splunk/i-found-out-splunk-macros-are-awesome.html
@@ -0,0 +1,201 @@
+<!DOCTYPE html>
+<html lang="" xml:lang="" xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<meta charset="utf-8"/>
+<meta content="pandoc" name="generator"/>
+<meta content="width=device-width, initial-scale=1.0, user-scalable=yes" name="viewport"/>
+<title>i-found-out-splunk-macros-are-awesome</title>
+<style>
+ html {
+ line-height: 1.5;
+ font-family: Georgia, serif;
+ font-size: 20px;
+ color: #1a1a1a;
+ background-color: #fdfdfd;
+ }
+ body {
+ margin: 0 auto;
+ max-width: 36em;
+ padding-left: 50px;
+ padding-right: 50px;
+ padding-top: 50px;
+ padding-bottom: 50px;
+ hyphens: auto;
+ overflow-wrap: break-word;
+ text-rendering: optimizeLegibility;
+ font-kerning: normal;
+ }
+ @media (max-width: 600px) {
+ body {
+ font-size: 0.9em;
+ padding: 1em;
+ }
+ h1 {
+ font-size: 1.8em;
+ }
+ }
+ @media print {
+ body {
+ background-color: transparent;
+ color: black;
+ font-size: 12pt;
+ }
+ p, h2, h3 {
+ orphans: 3;
+ widows: 3;
+ }
+ h2, h3, h4 {
+ page-break-after: avoid;
+ }
+ }
+ p {
+ margin: 1em 0;
+ }
+ a {
+ color: #1a1a1a;
+ }
+ a:visited {
+ color: #1a1a1a;
+ }
+ img {
+ max-width: 100%;
+ }
+ h1, h2, h3, h4, h5, h6 {
+ margin-top: 1.4em;
+ }
+ h5, h6 {
+ font-size: 1em;
+ font-style: italic;
+ }
+ h6 {
+ font-weight: normal;
+ }
+ ol, ul {
+ padding-left: 1.7em;
+ margin-top: 1em;
+ }
+ li > ol, li > ul {
+ margin-top: 0;
+ }
+ blockquote {
+ margin: 1em 0 1em 1.7em;
+ padding-left: 1em;
+ border-left: 2px solid #e6e6e6;
+ color: #606060;
+ }
+ code {
+ font-family: Menlo, Monaco, 'Lucida Console', Consolas, monospace;
+ font-size: 85%;
+ margin: 0;
+ }
+ pre {
+ margin: 1em 0;
+ overflow: auto;
+ }
+ pre code {
+ padding: 0;
+ overflow: visible;
+ overflow-wrap: normal;
+ }
+ .sourceCode {
+ background-color: transparent;
+ overflow: visible;
+ }
+ hr {
+ background-color: #1a1a1a;
+ border: none;
+ height: 1px;
+ margin: 1em 0;
+ }
+ table {
+ margin: 1em 0;
+ border-collapse: collapse;
+ width: 100%;
+ overflow-x: auto;
+ display: block;
+ font-variant-numeric: lining-nums tabular-nums;
+ }
+ table caption {
+ margin-bottom: 0.75em;
+ }
+ tbody {
+ margin-top: 0.5em;
+ border-top: 1px solid #1a1a1a;
+ border-bottom: 1px solid #1a1a1a;
+ }
+ th {
+ border-top: 1px solid #1a1a1a;
+ padding: 0.25em 0.5em 0.25em 0.5em;
+ }
+ td {
+ padding: 0.125em 0.5em 0.25em 0.5em;
+ }
+ header {
+ margin-bottom: 4em;
+ text-align: center;
+ }
+ #TOC li {
+ list-style: none;
+ }
+ #TOC ul {
+ padding-left: 1.3em;
+ }
+ #TOC > ul {
+ padding-left: 0;
+ }
+ #TOC a:not(:hover) {
+ text-decoration: none;
+ }
+ code{white-space: pre-wrap;}
+ span.smallcaps{font-variant: small-caps;}
+ span.underline{text-decoration: underline;}
+ div.column{display: inline-block; vertical-align: top; width: 50%;}
+ div.hanging-indent{margin-left: 1.5em; text-indent: -1.5em;}
+ ul.task-list{list-style: none;}
+ .display.math{display: block; text-align: center; margin: 0.5rem auto;}
+ </style>
+</head>
+<body>
+<p>Macros are for more than just canned searches.</p>
+<p>If you've never seen a macro before, read the doc page here:</p>
+<p>https://docs.splunk.com/Documentation/Splunk/9.0.2/Knowledge/Definesearchmacros</p>
+<p>What that doc page doesn't tell you is that you need not just stick
+any old complicated search in there. If you know how to use
+<code>eval</code> you can stick any resulting text anywhere you
+want.</p>
+<p>Take for example, timestamping your output lookups. Let's say I have
+a report that runs every 12 hours that I output to a lookup called
+"vpn_users.csv," which contains all users who logged on to VPN in that
+time. That report might look something like this:</p>
+<pre class="spl"><code>index=syslog sourcetype=vpn
+ | table _time username
+ | outputlookup vpn_users.csv</code></pre>
+<p>I can easily review that lookup like so:</p>
+<p><code>| inputlookup vpn_users.csv</code></p>
+<p>My boss might be happy that I'm keeping an eye on things, but what's
+the historical picture? How do I know what's a red flag and what isn't?
+What I might do is combine all of the days reports into one each day,
+and then compare each today. But in the original report logic, this gets
+overwritten every 12 hours. You could just append forever, but then
+you're not looking at just twelve hours, unless you add a time
+constraint to your search. How do I get to a daily report without
+interrupting the reports already running?</p>
+<p>One way to do it is to create a second combined report unique to that
+day, for example 'vpn_users-2022_11_17.csv'. The way you insert that
+text is with a macro, defined for the current date. For this particular
+format, I can define a macro called <code>today</code> with the
+following definition, which just gets the current time and formats
+it:</p>
+<p><code>strftime(now(), "%Y-%m-%d")</code></p>
+<p>Now I literally just stick it to the end of my original search, and
+set the lookup file to append, so we <em>add</em> new values rather than
+overwrite them:</p>
+<pre class="spl"><code>index=syslog sourcetype=vpn
+ | table _time username
+ | outputlookup vpn_users.csv
+ | outputlookup append=t vpn_users-`today`.csv</code></pre>
+<p>That's just a super obvious implementation though; there's all sorts
+of ways you might want to tag your lookups for ease of access.</p>
+</body>
+</html>
+