All Apps and Add-ons

Why do some searches only display statistics and not Events?

summitsplunk
Communicator

Below is a screen shot from my Fortinet FortiGate App for Splunk. In this case I'm clicking the search "Threat By Severity" on the Threat Dashboard. I noticed that I cannot drill down to events and it's only showing "statistics".

alt text

0 Karma
1 Solution

elliotproebstel
Champion

The query in your screenshot starts with tstats, a generating command which returns statistical data based on analysis of the tsidx files, not the events themselves. More information about tstats can be found here:
https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Tstats
This answer also provides some good plain-English explanations of what tstats is:
https://answers.splunk.com/answers/186938/what-is-tstats-and-why-is-so-much-faster-than-stat.html

So basically, Splunk isn't analyzing regular events to generate the data shown on this screenshot, so it hasn't gathered those events for you to view.

View solution in original post

jerryzhao
Contributor

can you change the drilldown query string from:

    <drilldown>
      <link>
        <![CDATA[
            /app/SplunkAppForFortinet/search?q=`fgt_utm` severity="$click.name2$" earliest=$click.value$ [| stats count | eval latest = $click.value$ %2b 300 | fields latest]
          ]]>
      </link>
    </drilldown>

to following:

    <drilldown>
      <link>
        <![CDATA[
            /app/SplunkAppForFortinet/search?q=| datamodel "ftnt_fos" "utm" search | search log.utm.gseverity="$click.value$"&earliest=$time_token.earliest$&latest=$time_token.latest$
          ]]>
      </link>
    </drilldown>

in this file on your splunk search head:

/opt/splunk/etc/apps/SplunkAppForFortinet/default/data/ui/views/threat_dashboard.xml

0 Karma

summitsplunk
Communicator

Thanks for your input I've modified the drilldown as you suggested however I still cannot view the related events from this query.

0 Karma

jerryzhao
Contributor

but what did it print out?

0 Karma

summitsplunk
Communicator

It appears that it added a "critical column which is nice. I'm hoping you can see the attacked picture below.

https://drive.google.com/file/d/19VPCVdztOH_XNiHV2kXNf8cduj0D5xFA/view?usp=sharing

0 Karma

jerryzhao
Contributor

this is not what the query i gave you should show.
maybe you are editing the wrong line.
Line 24 should be the line to be replaced with:
/app/SplunkAppForFortinet/search?q=| datamodel "ftnt_fos" "utm" search | search log.utm.gseverity="$click.value$"&earliest=$time_token.earliest$&latest=$time_token.latest$

0 Karma

elliotproebstel
Champion

The query in your screenshot starts with tstats, a generating command which returns statistical data based on analysis of the tsidx files, not the events themselves. More information about tstats can be found here:
https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Tstats
This answer also provides some good plain-English explanations of what tstats is:
https://answers.splunk.com/answers/186938/what-is-tstats-and-why-is-so-much-faster-than-stat.html

So basically, Splunk isn't analyzing regular events to generate the data shown on this screenshot, so it hasn't gathered those events for you to view.

summitsplunk
Communicator

"So basically, Splunk isn't analyzing regular events to generate the data shown on this screenshot, so it hasn't gathered those events for you to view. "

Thanks for the explanation of tstats. So the more complicated question would be:

How do I get Splunk to analyze the regular events to generate the data shown?

0 Karma

elliotproebstel
Champion

I haven't used the Fortinet app on Splunk, so I'm just making some educated guesses based on the documentation I see on Splunkbase at https://splunkbase.splunk.com/app/2800/#/details

If you followed the default install, it looks like you should be able to find the events that are being used to populate the ftnt_fos data model by searching for sourcetype=fgt_traffic. (I'm basing this guess on step 5 in the documentation, where a screenshot shows a search for this sourcetype.)

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...