All Apps and Add-ons

Why do some searches only display statistics and not Events?

summitsplunk
Communicator

Below is a screen shot from my Fortinet FortiGate App for Splunk. In this case I'm clicking the search "Threat By Severity" on the Threat Dashboard. I noticed that I cannot drill down to events and it's only showing "statistics".

alt text

0 Karma
1 Solution

elliotproebstel
Champion

The query in your screenshot starts with tstats, a generating command which returns statistical data based on analysis of the tsidx files, not the events themselves. More information about tstats can be found here:
https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Tstats
This answer also provides some good plain-English explanations of what tstats is:
https://answers.splunk.com/answers/186938/what-is-tstats-and-why-is-so-much-faster-than-stat.html

So basically, Splunk isn't analyzing regular events to generate the data shown on this screenshot, so it hasn't gathered those events for you to view.

View solution in original post

jerryzhao
Contributor

can you change the drilldown query string from:

    <drilldown>
      <link>
        <![CDATA[
            /app/SplunkAppForFortinet/search?q=`fgt_utm` severity="$click.name2$" earliest=$click.value$ [| stats count | eval latest = $click.value$ %2b 300 | fields latest]
          ]]>
      </link>
    </drilldown>

to following:

    <drilldown>
      <link>
        <![CDATA[
            /app/SplunkAppForFortinet/search?q=| datamodel "ftnt_fos" "utm" search | search log.utm.gseverity="$click.value$"&earliest=$time_token.earliest$&latest=$time_token.latest$
          ]]>
      </link>
    </drilldown>

in this file on your splunk search head:

/opt/splunk/etc/apps/SplunkAppForFortinet/default/data/ui/views/threat_dashboard.xml

0 Karma

summitsplunk
Communicator

Thanks for your input I've modified the drilldown as you suggested however I still cannot view the related events from this query.

0 Karma

jerryzhao
Contributor

but what did it print out?

0 Karma

summitsplunk
Communicator

It appears that it added a "critical column which is nice. I'm hoping you can see the attacked picture below.

https://drive.google.com/file/d/19VPCVdztOH_XNiHV2kXNf8cduj0D5xFA/view?usp=sharing

0 Karma

jerryzhao
Contributor

this is not what the query i gave you should show.
maybe you are editing the wrong line.
Line 24 should be the line to be replaced with:
/app/SplunkAppForFortinet/search?q=| datamodel "ftnt_fos" "utm" search | search log.utm.gseverity="$click.value$"&earliest=$time_token.earliest$&latest=$time_token.latest$

0 Karma

elliotproebstel
Champion

The query in your screenshot starts with tstats, a generating command which returns statistical data based on analysis of the tsidx files, not the events themselves. More information about tstats can be found here:
https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Tstats
This answer also provides some good plain-English explanations of what tstats is:
https://answers.splunk.com/answers/186938/what-is-tstats-and-why-is-so-much-faster-than-stat.html

So basically, Splunk isn't analyzing regular events to generate the data shown on this screenshot, so it hasn't gathered those events for you to view.

summitsplunk
Communicator

"So basically, Splunk isn't analyzing regular events to generate the data shown on this screenshot, so it hasn't gathered those events for you to view. "

Thanks for the explanation of tstats. So the more complicated question would be:

How do I get Splunk to analyze the regular events to generate the data shown?

0 Karma

elliotproebstel
Champion

I haven't used the Fortinet app on Splunk, so I'm just making some educated guesses based on the documentation I see on Splunkbase at https://splunkbase.splunk.com/app/2800/#/details

If you followed the default install, it looks like you should be able to find the events that are being used to populate the ftnt_fos data model by searching for sourcetype=fgt_traffic. (I'm basing this guess on step 5 in the documentation, where a screenshot shows a search for this sourcetype.)

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...