Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Enterprise Security: What do certain parts of my correlation search mean?

parsharif
Explorer
‎12-24-2016 10:18 PM

Hello everyone
i've just looking into content management correlation searches' code and I couldn't understand some parts of it!

these are my questions:
what is the difference between tstats and 'tsats'
why do they put some entities into $?

for example: 

| tstats `summariesonly` values(Authentication.action) as action,values(Authentication.app) as app,values(Authentication.src) as src,values(Authentication.dest) as dest,values(Authentication.user) as user,count from datamodel=Authentication.Authentication where $constraints$ by _time span=$span$

the code above is for "Entity Investigator Search".

and the last question, for now, is what is the meaning of "drop_dm_object_name"??

I surf the net but I couldn't find the best answer or any answers for my questions!

Thank YOU

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

koshyk
Super Champion
‎12-25-2016 08:17 AM
  1. 'tstats' (single tick) is a macro . You can check in macros, the expansion of it within ES app
  2. $xyz$ is for dynamic substitution
  3. drop_dm_object_name is another macro to remove the parent object of CIM datamodels (eg The original field value would be Authentication.src , but if you apply the drop_dm_object_name , then the field becomes src )

View solution in original post

Reply
Solved! Jump to solution
Solution

koshyk
Super Champion
‎12-25-2016 08:17 AM
  1. 'tstats' (single tick) is a macro . You can check in macros, the expansion of it within ES app
  2. $xyz$ is for dynamic substitution
  3. drop_dm_object_name is another macro to remove the parent object of CIM datamodels (eg The original field value would be Authentication.src , but if you apply the drop_dm_object_name , then the field becomes src )
Reply
Solved! Jump to solution

gjanders
SplunkTrust
SplunkTrust
‎12-25-2016 03:15 AM

This particular question is not Splunk enterprise security specific, the `` symbols are macros been used which then substitute to the contents of the macro. The $$ symbols are for substituting variables...

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
Reply
Solved! Jump to solution

parsharif
Explorer
‎12-25-2016 04:56 AM

Thank you @ garethatiag
you mean that for both 'x' and $x$, symbols are for substitution, right?

what about my last question? could you please give me some hints?

With Regards

0 Karma
Reply
Solved! Jump to solution

gjanders
SplunkTrust
SplunkTrust
‎12-25-2016 07:53 AM

The $variable$ is a token/variable, if this was a dashboard you could refer to Token usage in dashboards
For macros refer to search macros , finally you might want to use the job inspector this will show you the final search result, although it be be tricky to read the search information.

Finally the Splunk ES documentation has information about creating correlation searches , the correlation searches can be quite complicated to understand in ES. I do not have access to an ES instance so I cannot answer all your questions, but do accept the answer if it does answer your question...

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply
Solved! Jump to solution

parsharif
Explorer
‎12-25-2016 10:21 PM

Yes; you helped me a lot. I really appreciate

0 Karma
Reply
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...