- Splunk Answers
- :
- Splunk Premium Solutions
- :
- Security Premium Solutions
- :
- Splunk Enterprise Security
- :
- Re: Splunk Enterprise Security: What do certain pa...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello everyone
i've just looking into content management correlation searches' code and I couldn't understand some parts of it!
these are my questions:
what is the difference between tstats and 'tsats'
why do they put some entities into $?
for example:
| tstats `summariesonly` values(Authentication.action) as action,values(Authentication.app) as app,values(Authentication.src) as src,values(Authentication.dest) as dest,values(Authentication.user) as user,count from datamodel=Authentication.Authentication where $constraints$ by _time span=$span$
the code above is for "Entity Investigator Search".
and the last question, for now, is what is the meaning of "drop_dm_object_name"??
I surf the net but I couldn't find the best answer or any answers for my questions!
Thank YOU
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
'tstats'(single tick) is a macro . You can check in macros, the expansion of it within ES app- $xyz$ is for dynamic substitution
- drop_dm_object_name is another macro to remove the parent object of CIM datamodels (eg The original field value would be
Authentication.src, but if you apply the drop_dm_object_name , then the field becomessrc)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
'tstats'(single tick) is a macro . You can check in macros, the expansion of it within ES app- $xyz$ is for dynamic substitution
- drop_dm_object_name is another macro to remove the parent object of CIM datamodels (eg The original field value would be
Authentication.src, but if you apply the drop_dm_object_name , then the field becomessrc)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This particular question is not Splunk enterprise security specific, the `` symbols are macros been used which then substitute to the contents of the macro. The $$ symbols are for substituting variables...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you @ garethatiag
you mean that for both 'x' and $x$, symbols are for substitution, right?
what about my last question? could you please give me some hints?
With Regards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The $variable$ is a token/variable, if this was a dashboard you could refer to Token usage in dashboards
For macros refer to search macros , finally you might want to use the job inspector this will show you the final search result, although it be be tricky to read the search information.
Finally the Splunk ES documentation has information about creating correlation searches , the correlation searches can be quite complicated to understand in ES. I do not have access to an ES instance so I cannot answer all your questions, but do accept the answer if it does answer your question...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes; you helped me a lot. I really appreciate
Observability | Use Synthetic Monitoring for Website Metadata Verification
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
