From bcf5aeb7b77ae0d0c376c99249b60ab151f9d19c Mon Sep 17 00:00:00 2001 From: mjfernez Date: Sun, 22 Oct 2023 21:59:40 -0400 Subject: Add first splunk tutorials --- .md/tutorials/splunk/.description | 3 + .../i-found-out-splunk-macros-are-awesome.md | 56 +++++ tutorials/splunk/.description | 3 + .../i-found-out-splunk-macros-are-awesome.html | 201 +++++++++++++++++ tutorials/www/how-to-use-the-internet.html | 250 +++++++++++++++++++++ 5 files changed, 513 insertions(+) create mode 100644 .md/tutorials/splunk/.description create mode 100644 .md/tutorials/splunk/i-found-out-splunk-macros-are-awesome.md create mode 100644 tutorials/splunk/.description create mode 100644 tutorials/splunk/i-found-out-splunk-macros-are-awesome.html create mode 100644 tutorials/www/how-to-use-the-internet.html diff --git a/.md/tutorials/splunk/.description b/.md/tutorials/splunk/.description new file mode 100644 index 0000000..699b696 --- /dev/null +++ b/.md/tutorials/splunk/.description @@ -0,0 +1,3 @@ +I use splunk a whole lot at work. As far as docs go they're not bad +but sometimes you just gotta learn trhough comment sections. For +questions that might not have a comment section, those answers are here diff --git a/.md/tutorials/splunk/i-found-out-splunk-macros-are-awesome.md b/.md/tutorials/splunk/i-found-out-splunk-macros-are-awesome.md new file mode 100644 index 0000000..5b9cff7 --- /dev/null +++ b/.md/tutorials/splunk/i-found-out-splunk-macros-are-awesome.md @@ -0,0 +1,56 @@ +Macros are for more than just canned searches. + +If you've never seen a macro before, read the doc page here: + +https://docs.splunk.com/Documentation/Splunk/9.0.2/Knowledge/Definesearchmacros + +What that doc page doesn't tell you is that you need not just stick +any old complicated search in there. If you know how to use `eval` +you can stick any resulting text anywhere you want. + +Take for example, timestamping your output lookups. Let's say +I have a report that runs every 12 hours that I output to a lookup +called "vpn_users.csv," which contains all users who logged on to VPN +in that time. That report might look something like this: + +```SPL +index=syslog sourcetype=vpn + | table _time username + | outputlookup vpn_users.csv +``` + +I can easily review that lookup like so: + +`| inputlookup vpn_users.csv` + +My boss might be happy that I'm keeping an eye on things, but +what's the historical picture? How do I know what's a red flag +and what isn't? What I might do is combine all of the days reports +into one each day, and then compare each today. But in the original +report logic, this gets overwritten every 12 hours. You could just +append forever, but then you're not looking at just twelve hours, +unless you add a time constraint to your search. How do I get to +a daily report without interrupting the reports already running? + +One way to do it is to create a second combined report unique to +that day, for example 'vpn_users-2022_11_17.csv'. The way you +insert that text is with a macro, defined for the current date. +For this particular format, I can define a macro called `today` +with the following definition, which just gets the current time +and formats it: + +`strftime(now(), "%Y-%m-%d")` + +Now I literally just stick it to the end of my original search, and +set the lookup file to append, so we *add* new values rather than +overwrite them: + +```SPL +index=syslog sourcetype=vpn + | table _time username + | outputlookup vpn_users.csv + | outputlookup append=t vpn_users-`today`.csv +``` + +That's just a super obvious implementation though; there's all sorts of +ways you might want to tag your lookups for ease of access. diff --git a/tutorials/splunk/.description b/tutorials/splunk/.description new file mode 100644 index 0000000..699b696 --- /dev/null +++ b/tutorials/splunk/.description @@ -0,0 +1,3 @@ +I use splunk a whole lot at work. As far as docs go they're not bad +but sometimes you just gotta learn trhough comment sections. For +questions that might not have a comment section, those answers are here diff --git a/tutorials/splunk/i-found-out-splunk-macros-are-awesome.html b/tutorials/splunk/i-found-out-splunk-macros-are-awesome.html new file mode 100644 index 0000000..10e8567 --- /dev/null +++ b/tutorials/splunk/i-found-out-splunk-macros-are-awesome.html @@ -0,0 +1,201 @@ + + + + + + +i-found-out-splunk-macros-are-awesome + + + +

Macros are for more than just canned searches.

+

If you've never seen a macro before, read the doc page here:

+

https://docs.splunk.com/Documentation/Splunk/9.0.2/Knowledge/Definesearchmacros

+

What that doc page doesn't tell you is that you need not just stick +any old complicated search in there. If you know how to use +eval you can stick any resulting text anywhere you +want.

+

Take for example, timestamping your output lookups. Let's say I have +a report that runs every 12 hours that I output to a lookup called +"vpn_users.csv," which contains all users who logged on to VPN in that +time. That report might look something like this:

+
index=syslog sourcetype=vpn
+    | table _time username 
+    | outputlookup vpn_users.csv
+

I can easily review that lookup like so:

+

| inputlookup vpn_users.csv

+

My boss might be happy that I'm keeping an eye on things, but what's +the historical picture? How do I know what's a red flag and what isn't? +What I might do is combine all of the days reports into one each day, +and then compare each today. But in the original report logic, this gets +overwritten every 12 hours. You could just append forever, but then +you're not looking at just twelve hours, unless you add a time +constraint to your search. How do I get to a daily report without +interrupting the reports already running?

+

One way to do it is to create a second combined report unique to that +day, for example 'vpn_users-2022_11_17.csv'. The way you insert that +text is with a macro, defined for the current date. For this particular +format, I can define a macro called today with the +following definition, which just gets the current time and formats +it:

+

strftime(now(), "%Y-%m-%d")

+

Now I literally just stick it to the end of my original search, and +set the lookup file to append, so we add new values rather than +overwrite them:

+
index=syslog sourcetype=vpn
+    | table _time username 
+    | outputlookup vpn_users.csv
+    | outputlookup append=t vpn_users-`today`.csv
+

That's just a super obvious implementation though; there's all sorts +of ways you might want to tag your lookups for ease of access.

+ + + diff --git a/tutorials/www/how-to-use-the-internet.html b/tutorials/www/how-to-use-the-internet.html new file mode 100644 index 0000000..67a020e --- /dev/null +++ b/tutorials/www/how-to-use-the-internet.html @@ -0,0 +1,250 @@ + + + + + + +how-to-use-the-internet + + + + +

Why?

+

Why would anyone want to use the Internet, really?

+

There is actually purpose to connecting all the computers in the +world with near-instant speed beyond just streaming television, phishing +scams, pornography, punditry, and Fortnight competitions.

+

Unfortunately, almost none of us use the Internet for it's intended +purpose: finding infomation.

+

Writing an angry tweet to a celebrity or posting a picture of your +cat seems to be second nature for most people, but converting a picture +from a PDF or looking up a study (or even a word!) you saw in an article +is something else entirely.

+

While that's in part the fault of our laziness, it's equally the +fault of what the Internet has become.

+

For one: there's just so much more stuff now; it's hard to +know exactly where to start and who to trust. And so much of that stuff +is now garbage, either in the way it's presented, with +disruptive ads that don't close correctly, or in the way it's written: +vague, misleading, or straight incorrect.

+

For two: no one really teaches you how to use this thing do they? +There are no courses on "How to use a search engine" or "How to find +good posts on a forum," and definitely not on "How to write +good posts on a forum." But these are exactly the kinds of skills you +really need if you want to navigate the modern world without getting +constantly distracted, misled, or totally lost.

+

There are of course, countless guides on "netiquette" geared towards +every possible internet subculture you can find. While many of them have +influenced this document and give many helpful tips on writing good +informative posts, none of them really go over what I think is most +important: what to do with the information you're reading.

+

This will probably be an evolving document as new services and +websites become available (or go down), but much of this material in the +beginning should be pretty generally applicable no matter what services +are available.

+

How to use a web browser

+

How to use a search engine

+

As for which search engine to use: you should use all of them, until +you get the results you need.

+

In my experience, none of the major search engines are particularly +good and I get inconsistent searches on all of them depending on what +I'm searching. There is a lot of preaching these days about privacy +concerns, but I don't really believe any service is more "private" than +another. These are all privacy nightmares, arguably by design. Your best +bet is just to search often and as many platforms as you can.

+

How to read and find +scholarly articles

+

How to use Wikipedia

+

A common complaint lodged at me whenever I recommend Wikipedia is +that it's not a source of truth since they found X mistake somewhere, or +made Y edit when they were a teenager that's still there. No one has +ever (or should ever) claim Wikipedia is a source of truth on it's own. +But you can use it to find more sources and maybe get a little +closer.

+

How to find articles +with Google Scholar

+

Advanced Topics

+

How to use tor to browse +anonymously

+

Many in the advertising world will boast about using a VPN for +anonymity, or using a VPN in conjuction with Tor to "increase privacy." +This is simply a misunderstanding of terms. A VPN provides +privacy of the user's connection since it provides +encryption--only the VPN provider can "see" what is searched. The goal +of Tor is anonymity not privacy. Anonymity means "no one knows +who you are" not "no one knows what you're doing." Technically, traffic +is encrypted between nodes of the Tor service, so some level of privacy +is provided as well, but this is most effective when using hidden +services, not using Tor in general.

+ + + -- cgit v1.2.3