https://community.splunk.com/t5/All-Apps-and-Add-ons/Why-do-some-searches-only-display-statistics-and-not-Events/m-p/371972#M44950 <P>"So basically, Splunk isn't analyzing regular events to generate the data shown on this screenshot, so it hasn't gathered those events for you to view. "</P> <P>Thanks for the explanation of tstats. So the more complicated question would be:</P> <P>How do I get Splunk to analyze the regular events to generate the data shown?</P> Wed, 03 Jan 2018 22:24:22 GMT summitsplunk 2018-01-03T22:24:22Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Why-do-some-searches-only-display-statistics-and-not-Events/m-p/371970#M44948 <P>Below is a screen shot from my Fortinet FortiGate App for Splunk. In this case I'm clicking the search "Threat By Severity" on the Threat Dashboard. I noticed that I cannot drill down to events and it's only showing "statistics". </P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/4093iB78C7178D1BF7BFD/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Wed, 03 Jan 2018 21:20:18 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Why-do-some-searches-only-display-statistics-and-not-Events/m-p/371970#M44948 summitsplunk 2018-01-03T21:20:18Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Why-do-some-searches-only-display-statistics-and-not-Events/m-p/371971#M44949 <P>The query in your screenshot starts with <CODE>tstats</CODE>, a generating command which returns statistical data based on analysis of the tsidx files, not the events themselves. More information about <CODE>tstats</CODE> can be found here:<BR /> <A href="https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Tstats">https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Tstats</A><BR /> This answer also provides some good plain-English explanations of what <CODE>tstats</CODE> is:<BR /> <A href="https://answers.splunk.com/answers/186938/what-is-tstats-and-why-is-so-much-faster-than-stat.html">https://answers.splunk.com/answers/186938/what-is-tstats-and-why-is-so-much-faster-than-stat.html</A></P> <P>So basically, Splunk isn't analyzing regular events to generate the data shown on this screenshot, so it hasn't gathered those events for you to view. </P> Wed, 03 Jan 2018 21:30:56 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Why-do-some-searches-only-display-statistics-and-not-Events/m-p/371971#M44949 elliotproebstel 2018-01-03T21:30:56Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Why-do-some-searches-only-display-statistics-and-not-Events/m-p/371972#M44950 <P>"So basically, Splunk isn't analyzing regular events to generate the data shown on this screenshot, so it hasn't gathered those events for you to view. "</P> <P>Thanks for the explanation of tstats. So the more complicated question would be:</P> <P>How do I get Splunk to analyze the regular events to generate the data shown?</P> Wed, 03 Jan 2018 22:24:22 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Why-do-some-searches-only-display-statistics-and-not-Events/m-p/371972#M44950 summitsplunk 2018-01-03T22:24:22Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Why-do-some-searches-only-display-statistics-and-not-Events/m-p/371973#M44951 <P>I haven't used the Fortinet app on Splunk, so I'm just making some educated guesses based on the documentation I see on Splunkbase at <A href="https://splunkbase.splunk.com/app/2800/#/details">https://splunkbase.splunk.com/app/2800/#/details</A></P> <P>If you followed the default install, it looks like you should be able to find the events that are being used to populate the <CODE>ftnt_fos</CODE> data model by searching for <CODE>sourcetype=fgt_traffic</CODE>. (I'm basing this guess on step 5 in the documentation, where a screenshot shows a search for this sourcetype.) </P> Thu, 04 Jan 2018 14:26:14 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Why-do-some-searches-only-display-statistics-and-not-Events/m-p/371973#M44951 elliotproebstel 2018-01-04T14:26:14Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Why-do-some-searches-only-display-statistics-and-not-Events/m-p/371974#M44952 <P>can you change the drilldown query string from:</P> <PRE><CODE> &lt;drilldown&gt; &lt;link&gt; &lt;![CDATA[ /app/SplunkAppForFortinet/search?q=`fgt_utm` severity="$click.name2$" earliest=$click.value$ [| stats count | eval latest = $click.value$ %2b 300 | fields latest] ]]&gt; &lt;/link&gt; &lt;/drilldown&gt; </CODE></PRE> <P>to following:</P> <PRE><CODE> &lt;drilldown&gt; &lt;link&gt; &lt;![CDATA[ /app/SplunkAppForFortinet/search?q=| datamodel "ftnt_fos" "utm" search | search log.utm.gseverity="$click.value$"&amp;earliest=$time_token.earliest$&amp;latest=$time_token.latest$ ]]&gt; &lt;/link&gt; &lt;/drilldown&gt; </CODE></PRE> <P>in this file on your splunk search head:</P> <P>/opt/splunk/etc/apps/SplunkAppForFortinet/default/data/ui/views/threat_dashboard.xml</P> Thu, 04 Jan 2018 18:59:13 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Why-do-some-searches-only-display-statistics-and-not-Events/m-p/371974#M44952 jerryzhao 2018-01-04T18:59:13Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Why-do-some-searches-only-display-statistics-and-not-Events/m-p/371975#M44953 <P>Thanks for your input I've modified the drilldown as you suggested however I still cannot view the related events from this query. </P> Thu, 04 Jan 2018 22:01:31 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Why-do-some-searches-only-display-statistics-and-not-Events/m-p/371975#M44953 summitsplunk 2018-01-04T22:01:31Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Why-do-some-searches-only-display-statistics-and-not-Events/m-p/371976#M44954 <P>but what did it print out?</P> Thu, 04 Jan 2018 23:04:35 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Why-do-some-searches-only-display-statistics-and-not-Events/m-p/371976#M44954 jerryzhao 2018-01-04T23:04:35Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Why-do-some-searches-only-display-statistics-and-not-Events/m-p/371977#M44955 <P>It appears that it added a "critical column which is nice. I'm hoping you can see the attacked picture below. </P> <P><A href="https://drive.google.com/file/d/19VPCVdztOH_XNiHV2kXNf8cduj0D5xFA/view?usp=sharing">https://drive.google.com/file/d/19VPCVdztOH_XNiHV2kXNf8cduj0D5xFA/view?usp=sharing</A></P> Thu, 04 Jan 2018 23:42:22 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Why-do-some-searches-only-display-statistics-and-not-Events/m-p/371977#M44955 summitsplunk 2018-01-04T23:42:22Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Why-do-some-searches-only-display-statistics-and-not-Events/m-p/371978#M44956 <P>this is not what the query i gave you should show.<BR /> maybe you are editing the wrong line.<BR /> Line 24 should be the line to be replaced with:<BR /> /app/SplunkAppForFortinet/search?q=| datamodel "ftnt_fos" "utm" search | search log.utm.gseverity="$click.value$"&amp;earliest=$time_token.earliest$&amp;latest=$time_token.latest$</P> Tue, 29 Sep 2020 17:29:41 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Why-do-some-searches-only-display-statistics-and-not-Events/m-p/371978#M44956 jerryzhao 2020-09-29T17:29:41Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Why-do-some-searches-only-display-statistics-and-not-Events/m-p/371979#M44957 <P>What I see on line 24 <A href="https://drive.google.com/file/d/1lX41MEvqqYkvhn2DTAu6ISGluv8ozPfa/view?usp=sharing">https://drive.google.com/file/d/1lX41MEvqqYkvhn2DTAu6ISGluv8ozPfa/view?usp=sharing</A></P> <P>The Code I edited<BR /> <A href="https://drive.google.com/file/d/1hF2-tk7cNq1dYqwvoSe57rJtB93MSTmc/view?usp=sharing">https://drive.google.com/file/d/1hF2-tk7cNq1dYqwvoSe57rJtB93MSTmc/view?usp=sharing</A></P> Fri, 05 Jan 2018 00:15:17 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Why-do-some-searches-only-display-statistics-and-not-Events/m-p/371979#M44957 summitsplunk 2018-01-05T00:15:17Z