CQLing Game Data - The Blog Version

I've been learning CrowdStrike's LogScale platform recently. To help myself learn the CrowdStrike Query Language (CQL) I figured I'd do some analysis of game data I had collected awhile ago. Help me learn and then create this post to perhaps help others who might be learning CQL as well. 

That end, this post is a more written version of the live & somewhat interactive LogScale dashboard located: here. 

I'm providing the data itself at the bottom of this post if you want to monkey around with it.

It isn't uncommon for users of tools like LogScale to not know where to start from a query perspective. Something unique with LogScale is being able to easily share dashboards outside of the tool itself. This is a pretty cool capability! The other place where I see individuals somewhat struggle is how to create a dashboard. Not mechanically as much as how to lay out data. 

Splunk to LogScale Cheatsheet

Learning a new language is always fun(?). Many folks start with existing paradigms and look for comparisons. I'm no different while trying to learn LogScale's Query Language or LQL. 

I've looked for various cheetsheets and haven't found much. I'll paste a very rough one I've created below and hope to update it over time. Feel free to pass over anything I should add or tweak! There also has to be a better way to post this other than a pasted image from Excel. I'm a Luddite /shrug

Finding Log Volume Ingestion Anomalies in Splunk

 

This is for my man Destry who I met recently in person. He was giving me a bit of good-natured fun at not posting more frequently. So Destry, this is for you!

I’m doing a Splunk tips & tricks workshop this week with some folks who, among other things, had asked for a query to identify log volume anomalies. Ahh volume anomalies. So many variations of this. Several apps can be found on Splunkbase which have been developed by the user community. One might ask why Splunk hasn’t incorporated more of this sort of thing in the Monitoring Console /shrug.

My normal recommendation to folks is run a few queries to capture log volume (internal index license log) and event counts (tstats) in a ‘summary index’ for long term retention and quicker analysis. Some of that is likely found in the introspection index but I’ve not done a deep dive there TBH. The workshop I’m doing is with folks in a multi-tenant environment where each would like to do their own quick analysis.

So let’s define a few goals

• When a host is sending abnormally more or less of a data type compared to other hosts
• When a host is sending abnormally more or less of a data type compared to itself
• One query to do both comparisons to keep compute down and not have intermediate steps (like populating or reading from a lookup) for simplicity

New Managers: Hiring Process

The bug to write has bit again. 

There aren’t a ton of quick resources nor do many orgs place a lot of emphasis on training for new managers. I’ve done a good bit of candidate prospecting and hiring over the last year so I’ll write through a bit through that lens across a few posts. I’m no expert but do have some thoughts on the subject.

You’re at a point where you must hire someone. What does that process look like and where do you even start?

I’d begin by contemplating the following

• Who you hire represents a $500k - $1M investment assuming they will be with you for several years. Make sure you give the process appropriate time & energy.
• “We hire people based on what they know and fire them for who they are.” Unknown original source but really like it. Don’t be so focused on skills that you miss warning signs of cultural fit and work ethic.  

After giving those a good think, here are some additional framework-y things to do some mental gymnastics on before you start. You will inevitably have to adjust as you go but limit how much of the plane you are building after it is in the air.

Framework Compliance: Does activity live on a spectrum or an iron triangle?

Whenever I see an article title like “<insert framework>: One framework to rule them all” as recently discussed here I’m simultaneously reminded of the following xkcd cartoon, which touches on the N+1 issues of framework consolidation, and my grandmother saying "you can’t change the direction of a parked car." Relative to achieving framework compliance I’m not sure if those two thoughts live on the same spectrum or make up 2 corners of a compliance related iron triangle. Not sure what the 3rd iron triangle corner would be though.