1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
|
Macros are for more than just canned searches.
If you've never seen a macro before, read the doc page here:
https://docs.splunk.com/Documentation/Splunk/9.0.2/Knowledge/Definesearchmacros
What that doc page doesn't tell you is that you need not just stick
any old complicated search in there. If you know how to use `eval`
you can stick any resulting text anywhere you want.
Take for example, timestamping your output lookups. Let's say
I have a report that runs every 12 hours that I output to a lookup
called "vpn_users.csv," which contains all users who logged on to VPN
in that time. That report might look something like this:
```SPL
index=syslog sourcetype=vpn
| table _time username
| outputlookup vpn_users.csv
```
I can easily review that lookup like so:
`| inputlookup vpn_users.csv`
My boss might be happy that I'm keeping an eye on things, but
what's the historical picture? How do I know what's a red flag
and what isn't?
What I might do is combine all of the days' reports
into one each day, and then compare each one to today's. But
in the original report logic, this gets overwritten every
12 hours. You could just append forever, but then you're not
looking at just twelve hours, unless you add a time constraint
to your search. How do I get to a daily report without interrupting
the reports already running?
One way to do it is to create a second combined report unique to
that day, for example 'vpn_users-2022_11_17.csv'. The way you
insert that text is with a macro, defined for the current date.
For this particular format, I can define a macro called `today`
with the following definition, which just gets the current time
and formats it:
`strftime(now(), "%Y-%m-%d")`
Now I literally just stick it to the end of my original search, and
set the lookup file to append, so we *add* new values rather than
overwrite them:
```SPL
index=syslog sourcetype=vpn
| table _time username
| outputlookup vpn_users.csv
| outputlookup append=t vpn_users-`today`.csv
```
That's just a super obvious implementation though; there's all sorts of
ways you might want to tag your lookups for ease of access.
|