Solved: How to write a search leveraging tstats, a data mo...

jwalzerpitt · ‎11-01-2022

I am looking to convert this regular search:

index=foo action=blocked `macro` src_zone=foo | timechart count span=1d

over to a search that leverage tstats and the Network Traffic datamodel that shows the count of blocked traffic per day for the past 7 days due to the large volume of network events

| tstats count AS "Count of Blocked Traffic" from datamodel=Network_Traffic where (nodename = All_Traffic.Traffic_By_Action.Blocked_Traffic) All_Traffic.src_zone=foo groupby _time, All_Traffic.src_zone prestats=true

How can I get this search to use timechart?

Thx

richgalloway · ‎11-01-2022

Adding the timechart command should do it.

| tstats count AS "Count of Blocked Traffic" from datamodel=Network_Traffic where (nodename = All_Traffic.Traffic_By_Action.Blocked_Traffic) All_Traffic.src_zone=foo groupby _time span=1d, All_Traffic.src_zone prestats=true
| `drop_dm_object_name("All_Traffic")`
| timechart span=1d count by src_zone

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎11-01-2022

Adding the timechart command should do it.

| tstats count AS "Count of Blocked Traffic" from datamodel=Network_Traffic where (nodename = All_Traffic.Traffic_By_Action.Blocked_Traffic) All_Traffic.src_zone=foo groupby _time span=1d, All_Traffic.src_zone prestats=true
| `drop_dm_object_name("All_Traffic")`
| timechart span=1d count by src_zone

---
If this reply helps you, Karma would be appreciated.

jwalzerpitt · ‎11-03-2022

@richgalloway

If I wanted to change this search up so it's looking at total traffic events with an overlay of the avg number of blocks, how would I write that query?

I have the following but not getting any results:

| tstats count AS "Total Traffic" from datamodel=Network_Traffic where (nodename = All_Traffic) All_Traffic.src_zone=INTERNET-O groupby _time span=1d, All_Traffic.src_zone, All_Traffic.Traffic_By_Action.Blocked_Traffic prestats=true 
| `drop_dm_object_name("All_Traffic")`
| timechart span=1d count
| stats avg(count) by Traffic_By_Action.Blocked_Traffic

Is the issue that I'm pulling from two different objects in the Network datamodel - All_Traffic and Blocked_Traffic and not referencing the Blocked_Traffic model correctly?

jwalzerpitt · ‎11-03-2022

Mucking around some more and getting closer as I now have this:

| tstats count AS "Total Traffic" from datamodel=Network_Traffic where (nodename = All_Traffic ) OR (nodename = Blocked_Traffic) All_Traffic.src_zone=INTERNET-O groupby _time span=1d, All_Traffic.src_zone, All_Traffic.action, All_Traffic.Traffic_By_Action.Blocked_Traffic prestats=true 
| `drop_dm_object_name("All_Traffic")` 
| timechart span=1d count by action 
| eval "Block Avg" = round('blocked'*100/('allowed'+'blocked'),2)

But two issues:

Timechart now shows bars by action and 'd like to see just the total count of network sessions
The average is basically flatlined as it's at roughly 40% whereas my totals by action are roughly 1.5B

jwalzerpitt · ‎11-01-2022

TYVM Rich!

If I needed to add a macro in the search, where would I place that?

Thx again

richgalloway · ‎11-01-2022

It depends on what the macro does. Start by putting it in the where clause of the tstats command.

---
If this reply helps you, Karma would be appreciated.

How to write a search leveraging tstats, a data model, and timechart?

data model

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?