Splunk Enterprise Security

Splunk ES Proxy Log Query Explanation Needed Regarding xswhere and "is above high"

New Member

I can not find anything in the docs regarding "xswhere" and this "is above high"
Here is the query :
| tstats allowoldsummaries=true count as webeventcount from datamodel=Web by Web.src, Web.httpmethod | `dropdmobjectname("Web")` | xswhere webeventcount FROM countbyhttpmethodbysrc1d in web by http_method is above high

Any help would be appreciated thanks.

0 Karma

Splunk Employee
Splunk Employee

Hi, that's coming from the Extreme Search module: http://docs.splunk.com/Documentation/ES/3.3.0/User/ExtremeSearch