From 60d2e9d3e0c744bd331dec4a39e21e195a43738b Mon Sep 17 00:00:00 2001 From: mjfernez Date: Sun, 24 Mar 2024 18:38:04 -0400 Subject: ADD CATS --- .../splunk/i-found-out-splunk-macros-are-awesome.md | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) (limited to '.md/tutorials/splunk/i-found-out-splunk-macros-are-awesome.md') diff --git a/.md/tutorials/splunk/i-found-out-splunk-macros-are-awesome.md b/.md/tutorials/splunk/i-found-out-splunk-macros-are-awesome.md index 5b9cff7..0ed3842 100644 --- a/.md/tutorials/splunk/i-found-out-splunk-macros-are-awesome.md +++ b/.md/tutorials/splunk/i-found-out-splunk-macros-are-awesome.md @@ -25,12 +25,15 @@ I can easily review that lookup like so: My boss might be happy that I'm keeping an eye on things, but what's the historical picture? How do I know what's a red flag -and what isn't? What I might do is combine all of the days reports -into one each day, and then compare each today. But in the original -report logic, this gets overwritten every 12 hours. You could just -append forever, but then you're not looking at just twelve hours, -unless you add a time constraint to your search. How do I get to -a daily report without interrupting the reports already running? +and what isn't? + +What I might do is combine all of the days' reports +into one each day, and then compare each one to today's. But +in the original report logic, this gets overwritten every +12 hours. You could just append forever, but then you're not +looking at just twelve hours, unless you add a time constraint +to your search. How do I get to a daily report without interrupting +the reports already running? One way to do it is to create a second combined report unique to that day, for example 'vpn_users-2022_11_17.csv'. The way you -- cgit v1.2.3