Security

What's the difference between these two searches

Justin1224
Communicator

These are the two queries:

| tstats count from datamodel=Authentication by _time,Authentication.action span=10m | timechart minspan=10m useother=useother count by Authentication.action | drop_dm_object_name("Authentication")

| tstats count from datamodel=Web by _time,Web.action span=10m | timechart minspan=10m useother=useother count by Web.action | drop_dm_object_name("Web")

So I can see that the only difference between the two is that where "Authentication" is in the first one, "Web" is in its place in the second one.

So The first difference is that they are counting from difference datamodels (Web and Authentication). But how is "Authentication.action" different from "Web.action"?

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Whether Authentication.action and Web.action are same or different depends on the their corresponding data model definition. They are a field in the data model and your queries is generating count for every value of action in 10 min time bucket. What type of values the action field contains in those two data model totally depends on the data on which the data model was build.

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Whether Authentication.action and Web.action are same or different depends on the their corresponding data model definition. They are a field in the data model and your queries is generating count for every value of action in 10 min time bucket. What type of values the action field contains in those two data model totally depends on the data on which the data model was build.

Justin1224
Communicator

Ok, thank you. Also, if it says, Authentication.app, then is it doing the same thing, except now just counting for each unique combination of bucketed time and field app?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

That's correct.

Justin1224
Communicator

Sorry, one last thing. Is this description accurate as to what this search does, disregarding the timechart portion?

| tstats count from datamodel=Authentication where nodename=Authentication.Default_Authentication Authentication.action=success by _time span=1h | timechart minspan=1h count

Translation:
Count the number of times the field "action" equals success from the datamodel named "Authentication" from the node "Default_Authentication". Perform this count for each 1 hour period of time.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

The description looks correct to me.

Justin1224
Communicator

And also, why is there an Authentication.app after the "Authentication.action=success by _time"? What is that doing? Similarily, what is the timechart portion doing with Authentication.app? Isn't the search already counting when action=success? Is it also counting the number of events where app is not null?

| tstats count from datamodel=Authentication where nodename=Authentication.Default_Authentication Authentication.action=success by _time,Authentication.app span=1h | timechart minspan=1h count by Authentication.app | drop_dm_object_name("Authentication")

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Here the count is done for combination of 1h bucketed _time and values of field Authentication.app.
The timechart command does two things here
1) The output after tstats will be with fields _time, Authentication.app count. The final output that you want was timechart (fields _time, value1 value2...). So it's converting stats like output to chartable output. (different series for each value of field Authentication.app)
2)Ensures that the number of results stays within the visualization limit of Splunk (1000 points). So if you search gave more than 1000 records, it would increase the span to keep the number of rows less than 1000. If you get less than 1000 records, the span will still remain same and you'll get same number of events after timechart.

somesoni2
SplunkTrust
SplunkTrust

Yes.. The where clause basically does the filtering of events, so only the events which has that nodename and action=success will be considered for aggregation.

Justin1224
Communicator

Ohhhhhhhh, I think you just gave me a breakthrough. So everything after where but before by, is a where clause, so it only performs the search when all of those conditions are met. Ok thank you that helps so much.

0 Karma

Justin1224
Communicator

Ok, but what is the action=success doing in that query though? Is the search just doing everything you described but only for events where the value of the field action is success?

0 Karma

cmerriman
Super Champion

Authentication data model is for login and logout activities
http://docs.splunk.com/Documentation/CIM/4.5.0/User/Authentication

Web data model is for web/proxy server data

http://docs.splunk.com/Documentation/CIM/4.5.0/User/Web

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...