https://community.splunk.com/t5/Splunk-Enterprise-Security/help-needed-to-understand-correlation-search-in-ES-sandbox/m-p/290390#M2530 <P>I am quite new to ES, although i have an good understanding of data models and other Splunk commands, i am unable to understand the below correlation search in ES.<BR /> | datamodel "Authentication" "Failed_Authentication" search | stats values(Authentication.tag) as "tag",dc(Authentication.user) as "user_count",dc(Authentication.dest) as "dest_count",count by "Authentication.app","Authentication.src" | rename "Authentication.app" as "app","Authentication.src" as "src" | where 'count'&gt;=6<BR /> My queries are:<BR /> 1. datamodel "Authentication" "Failed_Authentication" search - is it searching 2 DMs and what does the search at the end signify. going by the syntax it is not a subsearch that usually starts with "["<BR /> 2. what does values(Authentication.tag) mean, if Authentication.tag is a field, where can i see the exact field extraction of this field</P> Tue, 29 Sep 2020 16:50:42 GMT soumyasaha2506 2020-09-29T16:50:42Z https://community.splunk.com/t5/Splunk-Enterprise-Security/help-needed-to-understand-correlation-search-in-ES-sandbox/m-p/290390#M2530 <P>I am quite new to ES, although i have an good understanding of data models and other Splunk commands, i am unable to understand the below correlation search in ES.<BR /> | datamodel "Authentication" "Failed_Authentication" search | stats values(Authentication.tag) as "tag",dc(Authentication.user) as "user_count",dc(Authentication.dest) as "dest_count",count by "Authentication.app","Authentication.src" | rename "Authentication.app" as "app","Authentication.src" as "src" | where 'count'&gt;=6<BR /> My queries are:<BR /> 1. datamodel "Authentication" "Failed_Authentication" search - is it searching 2 DMs and what does the search at the end signify. going by the syntax it is not a subsearch that usually starts with "["<BR /> 2. what does values(Authentication.tag) mean, if Authentication.tag is a field, where can i see the exact field extraction of this field</P> Tue, 29 Sep 2020 16:50:42 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/help-needed-to-understand-correlation-search-in-ES-sandbox/m-p/290390#M2530 soumyasaha2506 2020-09-29T16:50:42Z https://community.splunk.com/t5/Splunk-Enterprise-Security/help-needed-to-understand-correlation-search-in-ES-sandbox/m-p/290391#M2531 <P>This is for the excessive failed logins correlation search, correct? This correlation search tutorial actually walks through the syntax of that search, and building it with the guided search editor. <A href="http://docs.splunk.com/Documentation/ES/4.7.4/Tutorials/GuidedCorrelationSearch" target="_blank">http://docs.splunk.com/Documentation/ES/4.7.4/Tutorials/GuidedCorrelationSearch</A></P> <P>For your first question, Failed_Authentication is a dataset within the Authentication data model, so it's not searching 2 data models. The Failed_Authentication dataset is identified by the search constraint action=failure. The word search is there because of the way the datamodel command is used: <A href="http://docs.splunk.com/Documentation/Splunk/7.0.0/SearchReference/Datamodel" target="_blank">http://docs.splunk.com/Documentation/Splunk/7.0.0/SearchReference/Datamodel</A></P> <P>For your second question, values(Authentication.tag) looks for all the values of the Authentication.tag field. See <A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Multivaluefunctions#values.28X.29" target="_blank">https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Multivaluefunctions#values.28X.29</A><BR /> Authentication.tag is not an extracted field, but the tag field of the Authentication data model. </P> Tue, 29 Sep 2020 16:51:48 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/help-needed-to-understand-correlation-search-in-ES-sandbox/m-p/290391#M2531 smoir_splunk 2020-09-29T16:51:48Z