Getting Data In

How to use datamodel field values in tstats to filter resultant data?

DEAD_BEEF
Builder

I'm trying to search my Intrusion Detection datamodel when the src_ip is a specific CIDR to limit the results but can't seem to get the search right. Is this possible?

| tstats count from datamodel=Intrusion_Detection where (nodename IDS_Attacks.src="1.2.3.4/30" OR IDS_Attacks.dest="5.6.7.8/30")
| `drop_dm_object_name("Intrusion_Detection")`
| fields src, dest, dest_port

WORKING QUERY

| tstats count from datamodel=Intrusion_Detection where (nodename = IDS_Attacks (IDS_Attacks.src="1.2.3.4/30" OR IDS_Attacks.dest="5.6.7.8/30")) groupby IDS_Attacks.src, IDS_Attacks.dest, IDS_Attacks.SrcPort, IDS_Attacks.dest_port 
| `drop_dm_object_name("IDS_Attacks")`
0 Karma
1 Solution

renjith_nair
SplunkTrust
SplunkTrust

It's should be possible to filter using where. Are you getting result for

| tstats count from datamodel=Intrusion_Detection where (IDS_Attacks.src="1.2.3.4/30" OR IDS_Attacks.dest="5.6.7.8/30")

EDIT : Working search from @DEAD_BEEF,

 | tstats count from datamodel=Intrusion_Detection where (nodename = IDS_Attacks (IDS_Attacks.src="1.2.3.4/30" OR IDS_Attacks.dest="5.6.7.8/30")) groupby IDS_Attacks.src, IDS_Attacks.dest, IDS_Attacks.SrcPort, IDS_Attacks.dest_port 
 | `drop_dm_object_name("IDS_Attacks")`
Happy Splunking!

View solution in original post

renjith_nair
SplunkTrust
SplunkTrust

It's should be possible to filter using where. Are you getting result for

| tstats count from datamodel=Intrusion_Detection where (IDS_Attacks.src="1.2.3.4/30" OR IDS_Attacks.dest="5.6.7.8/30")

EDIT : Working search from @DEAD_BEEF,

 | tstats count from datamodel=Intrusion_Detection where (nodename = IDS_Attacks (IDS_Attacks.src="1.2.3.4/30" OR IDS_Attacks.dest="5.6.7.8/30")) groupby IDS_Attacks.src, IDS_Attacks.dest, IDS_Attacks.SrcPort, IDS_Attacks.dest_port 
 | `drop_dm_object_name("IDS_Attacks")`
Happy Splunking!

DEAD_BEEF
Builder

That worked, thanks! Added the working query in the original question for future readers. Re-post it as response so I can accept it please.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...