https://community.splunk.com/t5/Getting-Data-In/TSTATS-and-searches-that-run-strange/m-p/650071#M110472 <P><SPAN>May i rephrase your question like this:</SPAN></P><P><SPAN><BR />The tstats search runs fine, returns the SRC field, but the SRC results are not what i expected...&nbsp;</SPAN></P><P><SPAN>because ..</SPAN></P><P><SPAN>A) there is no data </SPAN></P><P><SPAN>B) filling in from the search and the search needs to be changed</SPAN></P><P>&nbsp;</P><P>Can you pls copy paste the search query inside the question.. it will help us copy ur query and run it in our splunk. thanks.&nbsp;</P><P>&nbsp;</P> Wed, 12 Jul 2023 00:45:52 GMT inventsekar 2023-07-12T00:45:52Z https://community.splunk.com/t5/Getting-Data-In/TSTATS-and-searches-that-run-strange/m-p/650063#M110468 <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="tstats and search.PNG" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/26213iCE26B47FD1445DE3/image-size/medium?v=v2&amp;px=400" role="button" title="tstats and search.PNG" alt="tstats and search.PNG" /></span></P><P> I think my question is --Is the Search overall returning the SRC filed the way it does because&nbsp; either A there is no data or B filling in from the search and the search needs to be changed.</P><P>This is a tstats search from either infosec or enterprise security.</P><P>What should I change or do I need to do&nbsp; something different.</P> Tue, 11 Jul 2023 22:04:11 GMT https://community.splunk.com/t5/Getting-Data-In/TSTATS-and-searches-that-run-strange/m-p/650063#M110468 domino30 2023-07-11T22:04:11Z https://community.splunk.com/t5/Getting-Data-In/TSTATS-and-searches-that-run-strange/m-p/650071#M110472 <P><SPAN>May i rephrase your question like this:</SPAN></P><P><SPAN><BR />The tstats search runs fine, returns the SRC field, but the SRC results are not what i expected...&nbsp;</SPAN></P><P><SPAN>because ..</SPAN></P><P><SPAN>A) there is no data </SPAN></P><P><SPAN>B) filling in from the search and the search needs to be changed</SPAN></P><P>&nbsp;</P><P>Can you pls copy paste the search query inside the question.. it will help us copy ur query and run it in our splunk. thanks.&nbsp;</P><P>&nbsp;</P> Wed, 12 Jul 2023 00:45:52 GMT https://community.splunk.com/t5/Getting-Data-In/TSTATS-and-searches-that-run-strange/m-p/650071#M110472 inventsekar 2023-07-12T00:45:52Z https://community.splunk.com/t5/Getting-Data-In/TSTATS-and-searches-that-run-strange/m-p/650232#M110497 <P>It came from the infosec app under host investigation</P><P>Here is the search</P><P>| tstats summariesonly=true allow_old_summaries=true max(_time) as _time, values(Authentication.action) as action, values(Authentication.app) as app, count from datamodel=Authentication.Authentication where (Authentication.src="::ffff:10.4.118.10" OR Authenication.dest="::ffff:10.4.118.10") by Authentication.src, Authentication.src_user, Authentication.dest, Authentication.user<BR />| rename "Authentication.*" as "*"<BR />| eval src=if((src=== "unknown"),null(),src), dest=if((dest == "unknown"),null(),dest)<BR />| fields + _time, src, dest, action, app, count, user, src_user, count<BR />| sort - count</P> Wed, 12 Jul 2023 15:34:28 GMT https://community.splunk.com/t5/Getting-Data-In/TSTATS-and-searches-that-run-strange/m-p/650232#M110497 domino30 2023-07-12T15:34:28Z https://community.splunk.com/t5/Getting-Data-In/TSTATS-and-searches-that-run-strange/m-p/650301#M110508 <P>thanks for the Search Query... but still your question "<SPAN>Is the Search overall returning the SRC filed the way it does because&nbsp; either A there is no data or B filling in from the search and the search needs to be changed."</SPAN></P><P><SPAN>is not clear.. please update us, from the tstats command what kind of results you are looking for(maybe provide us a table format sample output what you are looking for)..then we can reverse engineer the tstats command for your.. thanks.</SPAN></P> Thu, 13 Jul 2023 00:20:33 GMT https://community.splunk.com/t5/Getting-Data-In/TSTATS-and-searches-that-run-strange/m-p/650301#M110508 inventsekar 2023-07-13T00:20:33Z https://community.splunk.com/t5/Getting-Data-In/TSTATS-and-searches-that-run-strange/m-p/650447#M110522 <P>figured out I was searching for what I got in the example that I got however I got&nbsp; another question</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="what about this.PNG" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/26254i079E5889C4775831/image-size/medium?v=v2&amp;px=400" role="button" title="what about this.PNG" alt="what about this.PNG" /></span></P><P> what about these unknowns and also the src is funky but I think its because if it not known it returns that ::fff10.x.x.x. field but im not sure</P> Thu, 13 Jul 2023 19:15:37 GMT https://community.splunk.com/t5/Getting-Data-In/TSTATS-and-searches-that-run-strange/m-p/650447#M110522 domino30 2023-07-13T19:15:37Z