https://community.splunk.com/t5/Reporting/How-to-write-a-search-leveraging-tstats-a-data-model-and/m-p/619111#M11692 <P>Adding the <FONT face="courier new,courier">timechart</FONT> command should do it.</P><P>&nbsp;</P><LI-CODE lang="markup">| tstats count AS "Count of Blocked Traffic" from datamodel=Network_Traffic where (nodename = All_Traffic.Traffic_By_Action.Blocked_Traffic) All_Traffic.src_zone=foo groupby _time span=1d, All_Traffic.src_zone prestats=true | `drop_dm_object_name("All_Traffic")` | timechart span=1d count by src_zone</LI-CODE><P>&nbsp;</P> Tue, 01 Nov 2022 14:05:06 GMT richgalloway 2022-11-01T14:05:06Z https://community.splunk.com/t5/Reporting/How-to-write-a-search-leveraging-tstats-a-data-model-and/m-p/619106#M11691 <P>I am looking to convert this regular search:</P><LI-CODE lang="markup">index=foo action=blocked `macro` src_zone=foo | timechart count span=1d </LI-CODE><P>over to a search that leverage tstats and the Network Traffic datamodel that shows the count of blocked traffic per day for the past 7 days due to the large volume of network events</P><LI-CODE lang="markup">| tstats count AS "Count of Blocked Traffic" from datamodel=Network_Traffic where (nodename = All_Traffic.Traffic_By_Action.Blocked_Traffic) All_Traffic.src_zone=foo groupby _time, All_Traffic.src_zone prestats=true</LI-CODE><P>&nbsp;How can I get this search to use timechart?</P><P>Thx</P> Tue, 01 Nov 2022 13:52:17 GMT https://community.splunk.com/t5/Reporting/How-to-write-a-search-leveraging-tstats-a-data-model-and/m-p/619106#M11691 jwalzerpitt 2022-11-01T13:52:17Z https://community.splunk.com/t5/Reporting/How-to-write-a-search-leveraging-tstats-a-data-model-and/m-p/619111#M11692 <P>Adding the <FONT face="courier new,courier">timechart</FONT> command should do it.</P><P>&nbsp;</P><LI-CODE lang="markup">| tstats count AS "Count of Blocked Traffic" from datamodel=Network_Traffic where (nodename = All_Traffic.Traffic_By_Action.Blocked_Traffic) All_Traffic.src_zone=foo groupby _time span=1d, All_Traffic.src_zone prestats=true | `drop_dm_object_name("All_Traffic")` | timechart span=1d count by src_zone</LI-CODE><P>&nbsp;</P> Tue, 01 Nov 2022 14:05:06 GMT https://community.splunk.com/t5/Reporting/How-to-write-a-search-leveraging-tstats-a-data-model-and/m-p/619111#M11692 richgalloway 2022-11-01T14:05:06Z https://community.splunk.com/t5/Reporting/How-to-write-a-search-leveraging-tstats-a-data-model-and/m-p/619114#M11693 <P>TYVM Rich!</P><P>If I needed to add a macro in the search, where would I place that?</P><P>Thx again</P> Tue, 01 Nov 2022 14:15:36 GMT https://community.splunk.com/t5/Reporting/How-to-write-a-search-leveraging-tstats-a-data-model-and/m-p/619114#M11693 jwalzerpitt 2022-11-01T14:15:36Z https://community.splunk.com/t5/Reporting/How-to-write-a-search-leveraging-tstats-a-data-model-and/m-p/619124#M11694 <P>It depends on what the macro does.&nbsp; Start by putting it in the <FONT face="courier new,courier">where</FONT> clause of the <FONT face="courier new,courier">tstats</FONT> command.</P> Tue, 01 Nov 2022 14:43:22 GMT https://community.splunk.com/t5/Reporting/How-to-write-a-search-leveraging-tstats-a-data-model-and/m-p/619124#M11694 richgalloway 2022-11-01T14:43:22Z https://community.splunk.com/t5/Reporting/How-to-write-a-search-leveraging-tstats-a-data-model-and/m-p/619510#M11697 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;</P><P>If I wanted to change this search up so it's looking at total traffic events with an overlay of the avg number of blocks, how would I write that query?</P><P>I have the following but not getting any results:</P><LI-CODE lang="markup">| tstats count AS "Total Traffic" from datamodel=Network_Traffic where (nodename = All_Traffic) All_Traffic.src_zone=INTERNET-O groupby _time span=1d, All_Traffic.src_zone, All_Traffic.Traffic_By_Action.Blocked_Traffic prestats=true | `drop_dm_object_name("All_Traffic")` | timechart span=1d count | stats avg(count) by Traffic_By_Action.Blocked_Traffic</LI-CODE><P>Is the issue that I'm pulling from two different objects in the Network datamodel -&nbsp;<SPAN>All_Traffic and&nbsp;Blocked_Traffic and not referencing&nbsp;the&nbsp;Blocked_Traffic model correctly?</SPAN></P> Thu, 03 Nov 2022 16:52:58 GMT https://community.splunk.com/t5/Reporting/How-to-write-a-search-leveraging-tstats-a-data-model-and/m-p/619510#M11697 jwalzerpitt 2022-11-03T16:52:58Z https://community.splunk.com/t5/Reporting/How-to-write-a-search-leveraging-tstats-a-data-model-and/m-p/619526#M11698 <P>Mucking around some more and getting closer as I now have this:</P><LI-CODE lang="markup">| tstats count AS "Total Traffic" from datamodel=Network_Traffic where (nodename = All_Traffic ) OR (nodename = Blocked_Traffic) All_Traffic.src_zone=INTERNET-O groupby _time span=1d, All_Traffic.src_zone, All_Traffic.action, All_Traffic.Traffic_By_Action.Blocked_Traffic prestats=true | `drop_dm_object_name("All_Traffic")` | timechart span=1d count by action | eval "Block Avg" = round('blocked'*100/('allowed'+'blocked'),2)</LI-CODE><P>But two issues:</P><OL><LI>Timechart now shows bars by action and 'd like to see just the total count of network sessions</LI><LI>The average is basically flatlined as it's at roughly 40% whereas my totals by action are roughly 1.5B</LI></OL> Thu, 03 Nov 2022 17:55:03 GMT https://community.splunk.com/t5/Reporting/How-to-write-a-search-leveraging-tstats-a-data-model-and/m-p/619526#M11698 jwalzerpitt 2022-11-03T17:55:03Z