From bcf5aeb7b77ae0d0c376c99249b60ab151f9d19c Mon Sep 17 00:00:00 2001
From: mjfernez <mjf@mjfer.net>
Date: Sun, 22 Oct 2023 21:59:40 -0400
Subject: Add first splunk tutorials

---
 .../i-found-out-splunk-macros-are-awesome.html     | 201 +++++++++++++++++++++
 1 file changed, 201 insertions(+)
 create mode 100644 tutorials/splunk/i-found-out-splunk-macros-are-awesome.html

(limited to 'tutorials/splunk/i-found-out-splunk-macros-are-awesome.html')

diff --git a/tutorials/splunk/i-found-out-splunk-macros-are-awesome.html b/tutorials/splunk/i-found-out-splunk-macros-are-awesome.html
new file mode 100644
index 0000000..10e8567
--- /dev/null
+++ b/tutorials/splunk/i-found-out-splunk-macros-are-awesome.html
@@ -0,0 +1,201 @@
+<!DOCTYPE html>
+<html lang="" xml:lang="" xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<meta charset="utf-8"/>
+<meta content="pandoc" name="generator"/>
+<meta content="width=device-width, initial-scale=1.0, user-scalable=yes" name="viewport"/>
+<title>i-found-out-splunk-macros-are-awesome</title>
+<style>
+    html {
+      line-height: 1.5;
+      font-family: Georgia, serif;
+      font-size: 20px;
+      color: #1a1a1a;
+      background-color: #fdfdfd;
+    }
+    body {
+      margin: 0 auto;
+      max-width: 36em;
+      padding-left: 50px;
+      padding-right: 50px;
+      padding-top: 50px;
+      padding-bottom: 50px;
+      hyphens: auto;
+      overflow-wrap: break-word;
+      text-rendering: optimizeLegibility;
+      font-kerning: normal;
+    }
+    @media (max-width: 600px) {
+      body {
+        font-size: 0.9em;
+        padding: 1em;
+      }
+      h1 {
+        font-size: 1.8em;
+      }
+    }
+    @media print {
+      body {
+        background-color: transparent;
+        color: black;
+        font-size: 12pt;
+      }
+      p, h2, h3 {
+        orphans: 3;
+        widows: 3;
+      }
+      h2, h3, h4 {
+        page-break-after: avoid;
+      }
+    }
+    p {
+      margin: 1em 0;
+    }
+    a {
+      color: #1a1a1a;
+    }
+    a:visited {
+      color: #1a1a1a;
+    }
+    img {
+      max-width: 100%;
+    }
+    h1, h2, h3, h4, h5, h6 {
+      margin-top: 1.4em;
+    }
+    h5, h6 {
+      font-size: 1em;
+      font-style: italic;
+    }
+    h6 {
+      font-weight: normal;
+    }
+    ol, ul {
+      padding-left: 1.7em;
+      margin-top: 1em;
+    }
+    li > ol, li > ul {
+      margin-top: 0;
+    }
+    blockquote {
+      margin: 1em 0 1em 1.7em;
+      padding-left: 1em;
+      border-left: 2px solid #e6e6e6;
+      color: #606060;
+    }
+    code {
+      font-family: Menlo, Monaco, 'Lucida Console', Consolas, monospace;
+      font-size: 85%;
+      margin: 0;
+    }
+    pre {
+      margin: 1em 0;
+      overflow: auto;
+    }
+    pre code {
+      padding: 0;
+      overflow: visible;
+      overflow-wrap: normal;
+    }
+    .sourceCode {
+     background-color: transparent;
+     overflow: visible;
+    }
+    hr {
+      background-color: #1a1a1a;
+      border: none;
+      height: 1px;
+      margin: 1em 0;
+    }
+    table {
+      margin: 1em 0;
+      border-collapse: collapse;
+      width: 100%;
+      overflow-x: auto;
+      display: block;
+      font-variant-numeric: lining-nums tabular-nums;
+    }
+    table caption {
+      margin-bottom: 0.75em;
+    }
+    tbody {
+      margin-top: 0.5em;
+      border-top: 1px solid #1a1a1a;
+      border-bottom: 1px solid #1a1a1a;
+    }
+    th {
+      border-top: 1px solid #1a1a1a;
+      padding: 0.25em 0.5em 0.25em 0.5em;
+    }
+    td {
+      padding: 0.125em 0.5em 0.25em 0.5em;
+    }
+    header {
+      margin-bottom: 4em;
+      text-align: center;
+    }
+    #TOC li {
+      list-style: none;
+    }
+    #TOC ul {
+      padding-left: 1.3em;
+    }
+    #TOC > ul {
+      padding-left: 0;
+    }
+    #TOC a:not(:hover) {
+      text-decoration: none;
+    }
+    code{white-space: pre-wrap;}
+    span.smallcaps{font-variant: small-caps;}
+    span.underline{text-decoration: underline;}
+    div.column{display: inline-block; vertical-align: top; width: 50%;}
+    div.hanging-indent{margin-left: 1.5em; text-indent: -1.5em;}
+    ul.task-list{list-style: none;}
+    .display.math{display: block; text-align: center; margin: 0.5rem auto;}
+  </style>
+</head>
+<body>
+<p>Macros are for more than just canned searches.</p>
+<p>If you've never seen a macro before, read the doc page here:</p>
+<p>https://docs.splunk.com/Documentation/Splunk/9.0.2/Knowledge/Definesearchmacros</p>
+<p>What that doc page doesn't tell you is that you need not just stick
+any old complicated search in there. If you know how to use
+<code>eval</code> you can stick any resulting text anywhere you
+want.</p>
+<p>Take for example, timestamping your output lookups. Let's say I have
+a report that runs every 12 hours that I output to a lookup called
+"vpn_users.csv," which contains all users who logged on to VPN in that
+time. That report might look something like this:</p>
+<pre class="spl"><code>index=syslog sourcetype=vpn
+    | table _time username 
+    | outputlookup vpn_users.csv</code></pre>
+<p>I can easily review that lookup like so:</p>
+<p><code>| inputlookup vpn_users.csv</code></p>
+<p>My boss might be happy that I'm keeping an eye on things, but what's
+the historical picture? How do I know what's a red flag and what isn't?
+What I might do is combine all of the days reports into one each day,
+and then compare each today. But in the original report logic, this gets
+overwritten every 12 hours. You could just append forever, but then
+you're not looking at just twelve hours, unless you add a time
+constraint to your search. How do I get to a daily report without
+interrupting the reports already running?</p>
+<p>One way to do it is to create a second combined report unique to that
+day, for example 'vpn_users-2022_11_17.csv'. The way you insert that
+text is with a macro, defined for the current date. For this particular
+format, I can define a macro called <code>today</code> with the
+following definition, which just gets the current time and formats
+it:</p>
+<p><code>strftime(now(), "%Y-%m-%d")</code></p>
+<p>Now I literally just stick it to the end of my original search, and
+set the lookup file to append, so we <em>add</em> new values rather than
+overwrite them:</p>
+<pre class="spl"><code>index=syslog sourcetype=vpn
+    | table _time username 
+    | outputlookup vpn_users.csv
+    | outputlookup append=t vpn_users-`today`.csv</code></pre>
+<p>That's just a super obvious implementation though; there's all sorts
+of ways you might want to tag your lookups for ease of access.</p>
+</body>
+</html>
+
-- 
cgit v1.2.3