Security

What's the difference between these two searches

Justin1224
Communicator

These are the two queries:

| tstats count from datamodel=Authentication by _time,Authentication.action span=10m | timechart minspan=10m useother=useother count by Authentication.action | drop_dm_object_name("Authentication")

| tstats count from datamodel=Web by _time,Web.action span=10m | timechart minspan=10m useother=useother count by Web.action | drop_dm_object_name("Web")

So I can see that the only difference between the two is that where "Authentication" is in the first one, "Web" is in its place in the second one.

So The first difference is that they are counting from difference datamodels (Web and Authentication). But how is "Authentication.action" different from "Web.action"?

0 Karma
1 Solution

somesoni2
Revered Legend

Whether Authentication.action and Web.action are same or different depends on the their corresponding data model definition. They are a field in the data model and your queries is generating count for every value of action in 10 min time bucket. What type of values the action field contains in those two data model totally depends on the data on which the data model was build.

View solution in original post

somesoni2
Revered Legend

Whether Authentication.action and Web.action are same or different depends on the their corresponding data model definition. They are a field in the data model and your queries is generating count for every value of action in 10 min time bucket. What type of values the action field contains in those two data model totally depends on the data on which the data model was build.

Justin1224
Communicator

Ok, thank you. Also, if it says, Authentication.app, then is it doing the same thing, except now just counting for each unique combination of bucketed time and field app?

0 Karma

somesoni2
Revered Legend

That's correct.

Justin1224
Communicator

Sorry, one last thing. Is this description accurate as to what this search does, disregarding the timechart portion?

| tstats count from datamodel=Authentication where nodename=Authentication.Default_Authentication Authentication.action=success by _time span=1h | timechart minspan=1h count

Translation:
Count the number of times the field "action" equals success from the datamodel named "Authentication" from the node "Default_Authentication". Perform this count for each 1 hour period of time.

0 Karma

somesoni2
Revered Legend

The description looks correct to me.

Justin1224
Communicator

And also, why is there an Authentication.app after the "Authentication.action=success by _time"? What is that doing? Similarily, what is the timechart portion doing with Authentication.app? Isn't the search already counting when action=success? Is it also counting the number of events where app is not null?

| tstats count from datamodel=Authentication where nodename=Authentication.Default_Authentication Authentication.action=success by _time,Authentication.app span=1h | timechart minspan=1h count by Authentication.app | drop_dm_object_name("Authentication")

0 Karma

somesoni2
Revered Legend

Here the count is done for combination of 1h bucketed _time and values of field Authentication.app.
The timechart command does two things here
1) The output after tstats will be with fields _time, Authentication.app count. The final output that you want was timechart (fields _time, value1 value2...). So it's converting stats like output to chartable output. (different series for each value of field Authentication.app)
2)Ensures that the number of results stays within the visualization limit of Splunk (1000 points). So if you search gave more than 1000 records, it would increase the span to keep the number of rows less than 1000. If you get less than 1000 records, the span will still remain same and you'll get same number of events after timechart.

somesoni2
Revered Legend

Yes.. The where clause basically does the filtering of events, so only the events which has that nodename and action=success will be considered for aggregation.

Justin1224
Communicator

Ohhhhhhhh, I think you just gave me a breakthrough. So everything after where but before by, is a where clause, so it only performs the search when all of those conditions are met. Ok thank you that helps so much.

0 Karma

Justin1224
Communicator

Ok, but what is the action=success doing in that query though? Is the search just doing everything you described but only for events where the value of the field action is success?

0 Karma

cmerriman
Super Champion

Authentication data model is for login and logout activities
http://docs.splunk.com/Documentation/CIM/4.5.0/User/Authentication

Web data model is for web/proxy server data

http://docs.splunk.com/Documentation/CIM/4.5.0/User/Web

Get Updates on the Splunk Community!

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...

What's New in Splunk Cloud Platform 9.2.2406?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2406 with many ...

Enterprise Security Content Update (ESCU) | New Releases

In August, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...