topic What's the difference between these two searches in Security

What's the difference between these two searches

Justin1224 — Tue, 29 Sep 2020 11:29:25 GMT

These are the two queries:

| tstats count from datamodel=Authentication by _time,Authentication.action span=10m | timechart minspan=10m useother=useother count by Authentication.action | drop_dm_object_name("Authentication")

| tstats count from datamodel=Web by _time,Web.action span=10m | timechart minspan=10m useother=useother count by Web.action | drop_dm_object_name("Web")

So I can see that the only difference between the two is that where "Authentication" is in the first one, "Web" is in its place in the second one.

So The first difference is that they are counting from difference datamodels (Web and Authentication). But how is "Authentication.action" different from "Web.action"?

Re: What's the difference between these two searches

cmerriman — Tue, 18 Oct 2016 14:47:09 GMT

Authentication data model is for login and logout activities
http://docs.splunk.com/Documentation/CIM/4.5.0/User/Authentication

Web data model is for web/proxy server data

http://docs.splunk.com/Documentation/CIM/4.5.0/User/Web

Re: What's the difference between these two searches

somesoni2 — Tue, 18 Oct 2016 14:48:13 GMT

Whether Authentication.action and Web.action are same or different depends on the their corresponding data model definition. They are a field in the data model and your queries is generating count for every value of action in 10 min time bucket. What type of values the action field contains in those two data model totally depends on the data on which the data model was build.

Re: What's the difference between these two searches

Justin1224 — Tue, 18 Oct 2016 17:37:26 GMT

Ok, thank you. Also, if it says, Authentication.app, then is it doing the same thing, except now just counting for each unique combination of bucketed time and field app?

Re: What's the difference between these two searches

somesoni2 — Tue, 18 Oct 2016 18:23:47 GMT

That's correct.

Re: What's the difference between these two searches

Justin1224 — Tue, 18 Oct 2016 22:10:31 GMT

Sorry, one last thing. Is this description accurate as to what this search does, disregarding the timechart portion?

| tstats count from datamodel=Authentication where nodename=Authentication.Default_Authentication Authentication.action=success by _time span=1h | timechart minspan=1h count

Translation:
Count the number of times the field "action" equals success from the datamodel named "Authentication" from the node "Default_Authentication". Perform this count for each 1 hour period of time.

Re: What's the difference between these two searches

Justin1224 — Tue, 29 Sep 2020 11:29:44 GMT

And also, why is there an Authentication.app after the "Authentication.action=success by _time"? What is that doing? Similarily, what is the timechart portion doing with Authentication.app? Isn't the search already counting when action=success? Is it also counting the number of events where app is not null?

| tstats count from datamodel=Authentication where nodename=Authentication.Default_Authentication Authentication.action=success by _time,Authentication.app span=1h | timechart minspan=1h count by Authentication.app | drop_dm_object_name("Authentication")

Re: What's the difference between these two searches

somesoni2 — Tue, 18 Oct 2016 22:26:20 GMT

The description looks correct to me.

Re: What's the difference between these two searches

somesoni2 — Tue, 18 Oct 2016 22:31:01 GMT

Here the count is done for combination of 1h bucketed _time and values of field Authentication.app.
The timechart command does two things here
1) The output after tstats will be with fields _time, Authentication.app count. The final output that you want was timechart (fields _time, value1 value2...). So it's converting stats like output to chartable output. (different series for each value of field Authentication.app)
2)Ensures that the number of results stays within the visualization limit of Splunk (1000 points). So if you search gave more than 1000 records, it would increase the span to keep the number of rows less than 1000. If you get less than 1000 records, the span will still remain same and you'll get same number of events after timechart.

Re: What's the difference between these two searches

Justin1224 — Wed, 19 Oct 2016 13:38:12 GMT

Ok, but what is the action=success doing in that query though? Is the search just doing everything you described but only for events where the value of the field action is success?

Re: What's the difference between these two searches

somesoni2 — Wed, 19 Oct 2016 14:21:32 GMT

Yes.. The where clause basically does the filtering of events, so only the events which has that nodename and action=success will be considered for aggregation.

Re: What's the difference between these two searches

Justin1224 — Wed, 19 Oct 2016 15:17:17 GMT

Ohhhhhhhh, I think you just gave me a breakthrough. So everything after where but before by, is a where clause, so it only performs the search when all of those conditions are met. Ok thank you that helps so much.