https://community.splunk.com/t5/Splunk-Search/undefined/m-p/697994#M237084 <P>I'm sure you are stuck, as expected.</P><P>The current <FONT face="courier new,courier">tstats</FONT> command produces only one field: count.&nbsp; You can get some (and maybe all) of them using the <FONT face="courier new,courier">list</FONT> or <FONT face="courier new,courier">values</FONT> function, but any association between the fields will be lost.</P><P>For example,.</P><LI-CODE lang="markup">| tstats count, values(analysis.threat_score) as ats, values(analysis.metadata.sandcastle_env.analysis_start) as start, ... from datamodel=Cisco_Security.Secure_Malware_Analytics_Dataset where nodename=Secure_Malware_Analytics_Dataset index=* status IN ("*") sourcetype="cisco:sma:submissions"</LI-CODE><P>&nbsp;</P> Mon, 02 Sep 2024 15:33:33 GMT richgalloway 2024-09-02T15:33:33Z https://community.splunk.com/t5/Splunk-Search/undefined/m-p/697900#M237048 <P><SPAN>&nbsp;</SPAN></P> Fri, 13 Sep 2024 09:04:10 GMT https://community.splunk.com/t5/Splunk-Search/undefined/m-p/697900#M237048 romanpro 2024-09-13T09:04:10Z https://community.splunk.com/t5/Splunk-Search/undefined/m-p/697902#M237049 <P>This query appears to be unsuitable for conversion to&nbsp; <FONT face="courier new,courier">tstats</FONT>.&nbsp; It uses too many fields that must all be indexed for <FONT face="courier new,courier">tstats</FONT> to supply them.&nbsp; Also, the query is doing its own analysis of the events, but <FONT face="courier new,courier">tstats</FONT> provides aggregated values, not events, which would break the calculations done in the query.</P><P>What problem are you trying to solve?&nbsp; Perhaps <FONT face="courier new,courier">tstats</FONT> is not part of the answer.</P> Sun, 01 Sep 2024 17:33:40 GMT https://community.splunk.com/t5/Splunk-Search/undefined/m-p/697902#M237049 richgalloway 2024-09-01T17:33:40Z https://community.splunk.com/t5/Splunk-Search/undefined/m-p/697910#M237054 <P>I already converted up to this part&nbsp;</P><P>| tstats count from datamodel=Cisco_Security.Secure_Malware_Analytics_Dataset where nodename=Secure_Malware_Analytics_Dataset index=* status IN ("*") sourcetype="cisco:sma:submissions"</P><P>It works as expected but I stuck to complete now</P> Sun, 01 Sep 2024 19:44:33 GMT https://community.splunk.com/t5/Splunk-Search/undefined/m-p/697910#M237054 romanpro 2024-09-01T19:44:33Z https://community.splunk.com/t5/Splunk-Search/undefined/m-p/697994#M237084 <P>I'm sure you are stuck, as expected.</P><P>The current <FONT face="courier new,courier">tstats</FONT> command produces only one field: count.&nbsp; You can get some (and maybe all) of them using the <FONT face="courier new,courier">list</FONT> or <FONT face="courier new,courier">values</FONT> function, but any association between the fields will be lost.</P><P>For example,.</P><LI-CODE lang="markup">| tstats count, values(analysis.threat_score) as ats, values(analysis.metadata.sandcastle_env.analysis_start) as start, ... from datamodel=Cisco_Security.Secure_Malware_Analytics_Dataset where nodename=Secure_Malware_Analytics_Dataset index=* status IN ("*") sourcetype="cisco:sma:submissions"</LI-CODE><P>&nbsp;</P> Mon, 02 Sep 2024 15:33:33 GMT https://community.splunk.com/t5/Splunk-Search/undefined/m-p/697994#M237084 richgalloway 2024-09-02T15:33:33Z